| 1 | .\" -*-nroff-*- |
| 2 | .TH chkpath 1 "6 April 1999" "Local tools" |
| 3 | .SH NAME |
| 4 | chkpath \- check a path string for security |
| 5 | .SH SYNOPSIS |
| 6 | .B chkpath |
| 7 | .RB [ \-vqstp ] |
| 8 | .RB [ \-g |
| 9 | .IR group ] |
| 10 | .RI [ path ...] |
| 11 | .SH USAGE |
| 12 | The |
| 13 | .B chkpath |
| 14 | command checks one or more path strings (i.e., lists of directories |
| 15 | separated by colons) for security. If no path strings are given, the |
| 16 | value of the |
| 17 | .B PATH |
| 18 | environment variable is examined. |
| 19 | .PP |
| 20 | Each directory in turn is broken into its constituent parts and every |
| 21 | step which must be made through the filesystem to reach that directory |
| 22 | from the root is scrutinized for vulnerabilities. The checks made |
| 23 | against each directory and symbolic link along the way are as follows: |
| 24 | .IP " 1." |
| 25 | No step should be a directory which is world-writable unless its sticky |
| 26 | bit is set, and it's not the final step. |
| 27 | .IP " 2." |
| 28 | No step should be a directory which is group-writable unless its sticky |
| 29 | bit is set, and it's not the final step. (However, see the |
| 30 | .B \-t |
| 31 | option below.) |
| 32 | .IP " 3." |
| 33 | No step should be a directory owned by another user (other than root). |
| 34 | .IP " 4." |
| 35 | No step should be a symbolic link inside a sticky directory and owned by |
| 36 | another user. |
| 37 | .PP |
| 38 | The author is not aware of any weaknesses in this ruleset. The |
| 39 | objective is that nobody other than the user and the superuser should be |
| 40 | able to add or change the set of files available within the directories |
| 41 | of the path(s). |
| 42 | .SS Options |
| 43 | The following command line options are available: |
| 44 | .TP |
| 45 | .B "\-h, \-\-help" |
| 46 | Displays a relatively verbose message describing how to use |
| 47 | .BR chkpath . |
| 48 | .TP |
| 49 | .B "\-V, \-\-version" |
| 50 | Displays |
| 51 | .BR chkpath 's |
| 52 | version number. |
| 53 | .TP |
| 54 | .B "\-u, \-\-usage" |
| 55 | Displays a very terse usage summary. |
| 56 | .TP |
| 57 | .B "\-v, \-\-verbose" |
| 58 | Makes |
| 59 | .B chkpath |
| 60 | more verbose about what it's doing. This option has a cumulative |
| 61 | effect, so put more in for more verbosity. Note that verbose doesn't |
| 62 | mean the same as interesting. The default is to report problems with |
| 63 | directories and system errors. |
| 64 | .TP |
| 65 | .B "\-g, \-\-group " group |
| 66 | Consider members of |
| 67 | .I group |
| 68 | to be trustworthy: |
| 69 | .B chkpath |
| 70 | won't warn about a directory being group-writable if its gid matches |
| 71 | .IR group . |
| 72 | The |
| 73 | .I group |
| 74 | may be a group name (looked up in |
| 75 | .BR /etc/group ) |
| 76 | or a numeric gid in decimal. |
| 77 | .TP |
| 78 | .B "\-q, \-\-quiet" |
| 79 | Makes |
| 80 | .B chkpath |
| 81 | less verbose about what it's doing. This option, like |
| 82 | .BR \-v , |
| 83 | has a cumulative effect. Each |
| 84 | .B \-q |
| 85 | cancels out a |
| 86 | .B \-v |
| 87 | option. |
| 88 | .TP |
| 89 | .B "\-s, \-\-sticky" |
| 90 | Modifies the ruleset slightly so that any step through the filesystem is |
| 91 | OK, even if world- or group-writable (but not owned by someone else), as |
| 92 | long as the directory's sticky bit is set. The default is that sticky |
| 93 | directories are considered safe only if they're not the final step. |
| 94 | Turning this option on isn't recommended: if you use a sticky directory |
| 95 | in your path then other people can add malicious commands whose names |
| 96 | are common typos of standard ones. |
| 97 | .TP |
| 98 | .B "\-t, \-\-trust\-group" |
| 99 | Modifies the ruleset slightly so that |
| 100 | .B chkpath |
| 101 | doesn't warn about directories group-owned by groups you're a member |
| 102 | of. In other words, it trusts your fellow group-members |
| 103 | .IR "in their capacity as group-owners only" : |
| 104 | .B chkpath |
| 105 | will still warn about directories owned by people in your groups. |
| 106 | .TP |
| 107 | .B "\-p, \-\-print" |
| 108 | Writes on standard output a colon-separated list of the directories |
| 109 | which |
| 110 | .B chkpath |
| 111 | considered `safe'. This can be used to filter out unsafe directories in |
| 112 | an automatic way: |
| 113 | .RS 10 |
| 114 | .nf |
| 115 | .ft B |
| 116 | .sp 1 |
| 117 | PATH=`chkpath -qqp` |
| 118 | .ft R |
| 119 | .fi |
| 120 | .RE |
| 121 | .SH BUGS |
| 122 | None known. |
| 123 | .SH SEE ALSO |
| 124 | .BR tmpdir (1), |
| 125 | .BR checkpath (3). |
| 126 | .SH AUTHOR |
| 127 | Mark Wooding (mdw@nsict.org). |