Commit | Line | Data |
---|---|---|
19cb3d11 | 1 | .\" -*-nroff-*- |
efa7a97b | 2 | .TH chkpath 1 "6 April 1999" "Local tools" |
3 | .SH NAME | |
4 | chkpath \- check a path string for security | |
5 | .SH SYNOPSIS | |
6 | .B chkpath | |
7 | .RB [ \-vqstp ] | |
c25f05b8 MW |
8 | .RB [ \-g |
9 | .IR group ] | |
efa7a97b | 10 | .RI [ path ...] |
11 | .SH USAGE | |
12 | The | |
13 | .B chkpath | |
14 | command checks one or more path strings (i.e., lists of directories | |
15 | separated by colons) for security. If no path strings are given, the | |
16 | value of the | |
17 | .B PATH | |
18 | environment variable is examined. | |
19 | .PP | |
19cb3d11 | 20 | Each directory in turn is broken into its constituent parts and every |
efa7a97b | 21 | step which must be made through the filesystem to reach that directory |
22 | from the root is scrutinized for vulnerabilities. The checks made | |
23 | against each directory and symbolic link along the way are as follows: | |
4a1f00c4 | 24 | .IP " 1." |
efa7a97b | 25 | No step should be a directory which is world-writable unless its sticky |
26 | bit is set, and it's not the final step. | |
4a1f00c4 | 27 | .IP " 2." |
efa7a97b | 28 | No step should be a directory which is group-writable unless its sticky |
29 | bit is set, and it's not the final step. (However, see the | |
30 | .B \-t | |
31 | option below.) | |
4a1f00c4 | 32 | .IP " 3." |
efa7a97b | 33 | No step should be a directory owned by another user (other than root). |
4a1f00c4 | 34 | .IP " 4." |
efa7a97b | 35 | No step should be a symbolic link inside a sticky directory and owned by |
36 | another user. | |
37 | .PP | |
38 | The author is not aware of any weaknesses in this ruleset. The | |
39 | objective is that nobody other than the user and the superuser should be | |
40 | able to add or change the set of files available within the directories | |
41 | of the path(s). | |
1c5f5498 | 42 | .SS Options |
efa7a97b | 43 | The following command line options are available: |
44 | .TP | |
45 | .B "\-h, \-\-help" | |
46 | Displays a relatively verbose message describing how to use | |
47 | .BR chkpath . | |
48 | .TP | |
49 | .B "\-V, \-\-version" | |
50 | Displays | |
263d6e0d | 51 | .BR chkpath 's |
efa7a97b | 52 | version number. |
53 | .TP | |
54 | .B "\-u, \-\-usage" | |
55 | Displays a very terse usage summary. | |
56 | .TP | |
57 | .B "\-v, \-\-verbose" | |
58 | Makes | |
59 | .B chkpath | |
60 | more verbose about what it's doing. This option has a cumulative | |
61 | effect, so put more in for more verbosity. Note that verbose doesn't | |
62 | mean the same as interesting. The default is to report problems with | |
63 | directories and system errors. | |
64 | .TP | |
c25f05b8 MW |
65 | .B "\-g, \-\-group " group |
66 | Consider members of | |
67 | .I group | |
68 | to be trustworthy: | |
69 | .B chkpath | |
70 | won't warn about a directory being group-writable if its gid matches | |
71 | .IR group . | |
72 | The | |
73 | .I group | |
74 | may be a group name (looked up in | |
75 | .BR /etc/group ) | |
76 | or a numeric gid in decimal. | |
77 | .TP | |
efa7a97b | 78 | .B "\-q, \-\-quiet" |
79 | Makes | |
80 | .B chkpath | |
81 | less verbose about what it's doing. This option, like | |
82 | .BR \-v , | |
83 | has a cumulative effect. Each | |
84 | .B \-q | |
85 | cancels out a | |
86 | .B \-v | |
87 | option. | |
88 | .TP | |
89 | .B "\-s, \-\-sticky" | |
90 | Modifies the ruleset slightly so that any step through the filesystem is | |
91 | OK, even if world- or group-writable (but not owned by someone else), as | |
92 | long as the directory's sticky bit is set. The default is that sticky | |
93 | directories are considered safe only if they're not the final step. | |
94 | Turning this option on isn't recommended: if you use a sticky directory | |
95 | in your path then other people can add malicious commands whose names | |
96 | are common typos of standard ones. | |
97 | .TP | |
98 | .B "\-t, \-\-trust\-group" | |
99 | Modifies the ruleset slightly so that | |
100 | .B chkpath | |
101 | doesn't warn about directories group-owned by groups you're a member | |
102 | of. In other words, it trusts your fellow group-members | |
1c5f5498 | 103 | .IR "in their capacity as group-owners only" : |
efa7a97b | 104 | .B chkpath |
105 | will still warn about directories owned by people in your groups. | |
106 | .TP | |
107 | .B "\-p, \-\-print" | |
108 | Writes on standard output a colon-separated list of the directories | |
109 | which | |
110 | .B chkpath | |
111 | considered `safe'. This can be used to filter out unsafe directories in | |
112 | an automatic way: | |
113 | .RS 10 | |
114 | .nf | |
115 | .ft B | |
116 | .sp 1 | |
117 | PATH=`chkpath -qqp` | |
118 | .ft R | |
119 | .fi | |
120 | .RE | |
121 | .SH BUGS | |
122 | None known. | |
123 | .SH SEE ALSO | |
d7b5ee0c | 124 | .BR tmpdir (1), |
125 | .BR checkpath (3). | |
efa7a97b | 126 | .SH AUTHOR |
127 | Mark Wooding (mdw@nsict.org). |