chkpath.c, tmpdir.c, utils.c: Add option to trust private groups.

[checkpath] / chkpath.1

.\" -*-nroff-*-
.TH chkpath 1 "6 April 1999" "Local tools"
.SH NAME
chkpath \- check a path string for security
.SH SYNOPSIS
.B chkpath
.RB [ \-pqstv ]
.RB [ \-g
.IR group ]
.RI [ path ...]
.SH USAGE
The
.B chkpath
command checks one or more path strings (i.e., lists of directories
separated by colons) for security.  If no path strings are given, the
value of the
.B PATH
environment variable is examined.
.PP
Each directory in turn is broken into its constituent parts and every
step which must be made through the filesystem to reach that directory
from the root is scrutinized for vulnerabilities.  The checks made
against each directory and symbolic link along the way are as follows:
.IP "   1."
No step should be a directory which is world-writable unless its sticky
bit is set, and it's not the final step.
.IP "   2."
No step should be a directory which is group-writable unless its sticky
bit is set, and it's not the final step.  (However, see the
.B \-g
and
.B \-t
options below.)
.IP "   3."
No step should be a directory owned by another user (other than root).
.IP "   4."
No step should be a symbolic link inside a sticky directory and owned by
another user.
.PP
The author is not aware of any weaknesses in this ruleset.  The
objective is that nobody other than the user and the superuser should be
able to add or change the set of files available within the directories
of the path(s).
.SS Options
The following command line options are available:
.TP
.B "\-h, \-\-help"
Displays a relatively verbose message describing how to use
.BR chkpath .
.TP
.B "\-V, \-\-version"
Displays
.BR chkpath 's
version number.
.TP
.B "\-u, \-\-usage"
Displays a very terse usage summary.
.TP
.BI "\-g, \-\-group " group
Consider members of
.I group
to be trustworthy:
.B chkpath
won't warn about a directory being group-writable if its gid matches
.IR group .
The
.I group
may be a group name (looked up in
.BR /etc/group )
or a numeric gid in decimal.
.TP
.B "\-p, \-\-print"
Writes on standard output a colon-separated list of the directories
which
.B chkpath
considered `safe'.  This can be used to filter out unsafe directories in
an automatic way:
.RS 10
.nf
.ft B
.sp 1
PATH=`chkpath -qqp`
.ft R
.fi
.RE
.TP
.B "\-q, \-\-quiet"
Makes
.B chkpath
less verbose about what it's doing.  This option, like
.BR \-v ,
has a cumulative effect.  Each
.B \-q
cancels out a
.B \-v
option.
.TP
.B "\-s, \-\-sticky"
Modifies the ruleset slightly so that any step through the filesystem is
OK, even if world- or group-writable (but not owned by someone else), as
long as the directory's sticky bit is set.  The default is that sticky
directories are considered safe only if they're not the final step.
Turning this option on isn't recommended: if you use a sticky directory
in your path then other people can add malicious commands whose names
are common typos of standard ones.
.TP
.B "\-t, \-\-trust-groups"
Modifies the ruleset slightly so that
.B chkpath
doesn't warn about directories group-owned by groups you're a member
of.  In other words, it trusts your fellow group-members
.IR "in their capacity as group-owners only" :
.B chkpath
will still warn about directories owned by people in your groups.
.TP
.B "\-v, \-\-verbose"
Makes
.B chkpath
more verbose about what it's doing.  This option has a cumulative
effect, so put more in for more verbosity.  Note that verbose doesn't
mean the same as interesting.  The default is to report problems with
directories and system errors.
.SH BUGS
None known.
.SH SEE ALSO
.BR tmpdir (1),
.BR checkpath (3).
.SH AUTHOR
Mark Wooding (mdw@distorted.org.uk).