1.\" Copyright (c) 1997 David Nugent <davidn@blaze.net.au> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, is permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice immediately at the beginning of the file, without modification, 9.\" this list of conditions, and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. This work was done expressly for inclusion into FreeBSD. Other use 14.\" is permitted provided this notation is included. 15.\" 4. Absolutely no warranty of function or purpose is made by the author 16.\" David Nugent. 17.\" 5. Modifications may be freely made to this file providing the above 18.\" conditions are met. 19.\" 20.\" $FreeBSD$ 21.\" 22.Dd May 10, 2020 23.Dt _SECURE_PATH 3 24.Os 25.Sh NAME 26.Nm _secure_path 27.Nd determine if a file appears to be secure 28.Sh LIBRARY 29.Lb libutil 30.Sh SYNOPSIS 31.In sys/types.h 32.In libutil.h 33.Ft int 34.Fn _secure_path "const char *path" "uid_t uid" "gid_t gid" 35.Sh DESCRIPTION 36This function does some basic security checking on a given path. 37It is intended to be used by processes running with root privileges 38in order to decide whether or not to trust the contents of a given 39file. 40It uses a method often used to detect system compromise. 41.Pp 42A file is considered 43.Sq secure 44if it meets the following conditions: 45.Bl -enum 46.It 47The file exists, and is a regular file (not a symlink, device 48special or named pipe, etc.), 49.It 50Is not world writable. 51.It 52Is owned by the given uid or uid 0, if uid is not -1, 53.It 54Is not group writable or it has group ownership by the given 55gid, if gid is not -1. 56.El 57.Sh RETURN VALUES 58This function returns zero if the file exists and may be 59considered secure, -2 if the file does not exist, and 60-1 otherwise to indicate a security failure. 61The 62.Xr syslog 3 63function is used to log any failure of this function, including the 64reason, at LOG_ERR priority. 65.Sh SEE ALSO 66.Xr lstat 2 , 67.Xr syslog 3 68.Sh HISTORY 69Code from which this function was derived was contributed to the 70.Fx 71project by Berkeley Software Design, Inc. 72The function 73.Fn _secure_path 74first appeared in 75.Fx 2.2.5 . 76.Sh BUGS 77The checks carried out are rudimentary and no attempt is made 78to eliminate race conditions between use of this function and 79access to the file referenced. 80