ch08_18.htm

By Tom Christiansen and Nathan Torkington ISBN 1-56592-243-3 First Edition, published August 1998

<HTML
><HEAD
>
<TITLE>Recipe 8.17. Testing a File for Trustworthiness (Perl Cookbook)</TITLE>
<META
NAME="DC.title"
CONTENT="Perl Cookbook"><META
NAME="DC.creator"
CONTENT="Tom Christiansen &amp; Nathan Torkington"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1999-07-02T01:38:55Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-243-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch08_01.htm"
TITLE="8. File Contents"><LINK
REL="prev"
HREF="ch08_17.htm"
TITLE="8.16. Reading Configuration Files"><LINK
REL="next"
HREF="ch08_19.htm"
TITLE="8.18. Program: tailwtmp"></HEAD
><BODY
BGCOLOR="#FFFFFF"><img alt="Book Home" border="0" src="gifs/smbanner.gif" usemap="#banner-map" /><map name="banner-map"><area shape="rect" coords="1,-2,616,66" href="index.htm" alt="Perl Cookbook"><area shape="rect" coords="629,-11,726,25" href="jobjects/fsearch.htm" alt="Search this book" /></map><div class="navbar"><p>
<TABLE
WIDTH="684"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch08_17.htm"
TITLE="8.16. Reading Configuration Files"
><IMG
SRC="../gifs/txtpreva.gif"
ALT="Previous: 8.16. Reading Configuration Files"
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
><A
CLASS="chapter"
REL="up"
HREF="ch08_01.htm"
TITLE="8. File Contents"
></A
></FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch08_19.htm"
TITLE="8.18. Program: tailwtmp"
><IMG
SRC="../gifs/txtnexta.gif"
ALT="Next: 8.18. Program: tailwtmp"
BORDER="0"></A
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="sect1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="ch08-27276"
>8.17. Testing a File for Trustworthiness</A
></H2
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch08-pgfId-1594"
>Problem<A
CLASS="indexterm"
NAME="ch08-idx-1000004720-0"
></A
><A
CLASS="indexterm"
NAME="ch08-idx-1000004720-1"
></A
><A
CLASS="indexterm"
NAME="ch08-idx-1000004720-2"
></A
></A
></H3
><P
CLASS="para"
>You want to read from a file, perhaps because it has configuration information. You only want to use the file if it can't be written to (or perhaps not even be read from) by anyone else than its owner.</P
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch08-pgfId-1600"
>Solution</A
></H3
><P
CLASS="para"
>Use the <CODE
CLASS="literal"
>stat</CODE
><A
CLASS="indexterm"
NAME="ch08-idx-1000004728-0"
></A
> call to retrieve ownership and file permissions information. You can use the built-in version, which returns a list:</P
><PRE
CLASS="programlisting"
>( $dev, $ino, $mode, $nlink, 
  $uid, $gid, $rdev, $size, 
  $atime, $mtime, $ctime, 
  $blksize, $blocks )       = stat($filename)
        or die &quot;no $filename: $!&quot;;

$mode &amp;= 07777;             # discard file type info</PRE
><P
CLASS="para"
>Or you can use the by-name interface in:</P
><PRE
CLASS="programlisting"
>$info = stat($filename)     or die &quot;no $filename: $!&quot;;
if ($info-&gt;uid == 0) {
    print &quot;Superuser owns $filename\n&quot;;
} 
if ($info-&gt;atime &gt; $info-&gt;mtime) {
    print &quot;$filename has been read since it was written.\n&quot;;
} </PRE
></DIV
><DIV
CLASS="sect2"
><H3
CLASS="sect2"
><A
CLASS="title"
NAME="ch08-pgfId-1636"
>Discussion</A
></H3
><P
CLASS="para"
>Usually you trust users to set file permissions as they wish. If they want others to read their files, or even to write to them, that's their business. Applications like editors, mailers, and shells are often more discerning, though, refusing to evaluate code in configuration files if anyone but the owner can write to them. This helps avoid Trojan horses attacks. Security-minded programs like <EM
CLASS="emphasis"
>ftp</EM
> and <EM
CLASS="emphasis"
>rlogin</EM
> may even reject config files that can be read by anyone but their owner.</P
><P
CLASS="para"
>If the file is writable by someone other than the owner or is owned by someone other than the current user or the superuser, it shouldn't be trusted. To figure out file ownership and permissions, the <CODE
CLASS="literal"
>stat</CODE
> function is used. The following function returns true if the file is deemed safe and false otherwise. If the <CODE
CLASS="literal"
>stat</CODE
> fails, <CODE
CLASS="literal"
>undef</CODE
> is returned.</P
><PRE
CLASS="programlisting"
>use File::stat;

sub is_safe {
    my $path = shift;
    my $info = stat($path);
    return unless $info;

    # owner neither superuser nor me 
    # the real uid is in stored in the $&lt; variable
    if (($info-&gt;uid != 0) &amp;&amp; ($info-&gt;uid != $&lt;)) {
        return 0;
    }

    # check whether group or other can write file.
    # use 066 to detect either reading or writing
    if ($info-&gt;mode &amp; 022) {   # someone else can write this
        return 0 unless -d _;  # non-directories aren't safe
            # but directories with the sticky bit (01000) are
        return 0 unless $info-&gt;mode &amp; 01000;        
    }
    return 1;
}</PRE
><P
CLASS="para"
>A directory is considered safe even if others can write to it, provided that its mode 01000 (owner delete only) bit is set.</P
><P
CLASS="para"
>Careful programmers also ensure that no enclosing directory is writable. This is due to systems with the "<CODE
CLASS="literal"
>chown</CODE
> giveaway" problem in which any user can give away a file they own and make it owned by someone else. The following function handles that by using the <CODE
CLASS="literal"
>is_safe</CODE
><A
CLASS="indexterm"
NAME="ch08-idx-1000004726-0"
></A
> function to check every enclosing directory up to the root if it detects that you have the <CODE
CLASS="literal"
>chown</CODE
> problem, for which it queries the <CODE
CLASS="literal"
>POSIX::sysconf</CODE
>. If you don't have an unrestricted version of <CODE
CLASS="literal"
>chown</CODE
>, the <CODE
CLASS="literal"
>is_verysafe</CODE
><A
CLASS="indexterm"
NAME="ch08-idx-1000004727-0"
></A
> subroutine just calls <CODE
CLASS="literal"
>is_safe</CODE
>. If you do have the problem, it walks up the filesystem tree until it reaches the root.</P
><PRE
CLASS="programlisting"
>use Cwd;
use POSIX qw(sysconf _PC_CHOWN_RESTRICTED);
sub is_verysafe {
    my $path = shift;
    return is_safe($path) if sysconf(_PC_CHOWN_RESTRICTED);
    $path = getcwd() . '/' . $path if $path !~ m{^/};
    do {
        return unless is_safe($path);
        $path =~ s#([^/]+|/)$##;               # dirname
        $path =~ s#/$## if length($path) &gt; 1;  # last slash
    } while length $path;

    return 1;
}</PRE
><P
CLASS="para"
>To use this in a program, try something like this:</P
><PRE
CLASS="programlisting"
>$file = &quot;$ENV{HOME}/.myprogrc&quot;;
readconfig($file) if is_safe($file);</PRE
><P
CLASS="para"
>This has potential for a race condition, because it's presumed that the hypothetical <CODE
CLASS="literal"
>readconfig</CODE
> function will open the file. Between the time when <CODE
CLASS="literal"
>is_safe</CODE
> checks the file's stats and when <CODE
CLASS="literal"
>readconfig</CODE
> opens it, something wicked could theoretically occur. To avoid this, pass <CODE
CLASS="literal"
>is_safe</CODE
> the already open filehandle, which is set up to handle this:</P
><PRE
CLASS="programlisting"
>$file = &quot;$ENV{HOME}/.myprogrc&quot;;
if (open(FILE, &quot;&lt; $file&quot;)) { 
    readconfig(*FILE) if is_safe(*FILE);
}</PRE
><P
CLASS="para"
>You would still have to arrange for <CODE
CLASS="literal"
>readconfig</CODE
> to accept a filehandle instead of a filename, though.<A
CLASS="indexterm"
NAME="ch08-idx-1000004722-0"
></A
><A
CLASS="indexterm"
NAME="ch08-idx-1000004722-1"
></A
><A
CLASS="indexterm"
NAME="ch08-idx-1000004722-2"
></A
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="684"
TITLE="footer"><TABLE
WIDTH="684"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch08_17.htm"
TITLE="8.16. Reading Configuration Files"
><IMG
SRC="../gifs/txtpreva.gif"
ALT="Previous: 8.16. Reading Configuration Files"
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="book"
HREF="index.htm"
TITLE="Perl Cookbook"
><IMG
SRC="../gifs/txthome.gif"
ALT="Perl Cookbook"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="sect1"
HREF="ch08_19.htm"
TITLE="8.18. Program: tailwtmp"
><IMG
SRC="../gifs/txtnexta.gif"
ALT="Next: 8.18. Program: tailwtmp"
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="228"
>8.16. Reading Configuration Files</TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="228"
><A
CLASS="index"
HREF="index/index.htm"
TITLE="Book Index"
><IMG
SRC="../gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="228"
>8.18. Program: tailwtmp</TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="684"
TITLE="footer"><FONT
SIZE="-1"
></DIV<!-- LIBRARY NAV BAR --> <img src="../gifs/smnavbar.gif" usemap="#library-map" border="0" alt="Library Navigation Links"><p> <a href="copyrght.htm">Copyright &copy; 2002</a> O'Reilly &amp; Associates. All rights reserved.</font> </p> <map name="library-map"> <area shape="rect" coords="1,0,85,94" href="../index.htm"><area shape="rect" coords="86,1,178,103" href="../lwp/index.htm"><area shape="rect" coords="180,0,265,103" href="../lperl/index.htm"><area shape="rect" coords="267,0,353,105" href="../perlnut/index.htm"><area shape="rect" coords="354,1,446,115" href="../prog/index.htm"><area shape="rect" coords="448,0,526,132" href="../tk/index.htm"><area shape="rect" coords="528,1,615,119" href="../cookbook/index.htm"><area shape="rect" coords="617,0,690,135" href="../pxml/index.htm"></map> </BODY
></HTML
>