Content-type: text/html
Manpage of SAFE_FOPEN_WRAPPER
SAFE_FOPEN_WRAPPER
Section: (3)
Updated: 2011-07-26
Index
Return to Main Contents
NAME
safe_fopen_wrapper, safe_fopen_wrapper_follow, safe_fopen_no_fcreate, safe_fopen_no_fcreate_follow, safe_fcreate_fail_if_exists, safe_fcreate_replace_if_exists, safe_fcreate_keep_if_exists, safe_fcreate_keep_if_exists_follow - safely open or create a stream
SYNOPSIS
#include safe_fopen.h
FILE *safe_fopen_wrapper(const char *fn, const char *mode, mode_t perms);
FILE *safe_fopen_wrapper_follow(const char *fn, const char *mode, mode_t perms);
FILE *safe_fopen_no_create(const char *fn, const char *mode);
FILE *safe_fopen_no_create_follow(const char *fn, const char *mode);
FILE *safe_fcreate_fail_if_exists(const char *fn, const char *mode, mode_t perms);
FILE *safe_fcreate_keep_if_exists(const char *fn, const char *mode, mode_t perms);
FILE *safe_fcreate_keep_if_exists_follow(const char *fn, const char *mode, mode_t perms);
FILE *safe_fcreate_replace_if_exists(const char *fn, const char *mode, mode_t perms);
DESCRIPTION
The functions in the
safe_fopen
and
safe_fcreate
family are replacement functions for
fopen(3).
The functions open or create a file whose path name is
fn
and return a stream associated with the file.
The functions are designed to prevent common types of symbolic link attacks
where the last component of the file name is a symbolic link when creating a
file and optionally when opening an existing file. It also makes the initial
permissions for a newly created file,
perms,
a required parameter, so an appropriate value is likely to be used.
safe_fopen_wrapper and safe_fopen_wrapper_follow
are meant to easy replacement functions for existing used of
fopen(3).
The knowledgeable developers can use the remaining functions to tailor the
specific behavior desired for each use of
fopen(3).
All the functions differ from
fopen(3),
in their treatment of the last component of the file name being a
symbolic link. They all fail if an attempt is made to create
the file when the last component is a symbolic link (just like the
behavior of
open(2)
using
flags
of
O_CREAT with O_EXCL ).
safe_fopen_wrapper,
safe_fopen_no_create,
safe_fcreate_keep_if_exists
also fail when opening an existing file if the the last component is a
symbolic link.
The functions also differ from
fopen(3),
in that any of the functions that could possibly create a file the
perms
parameter is required.
Other differences and the behavior of each function is explained below in the
Functions
section.
Parameters
- fn
-
The file name to open or create.
- mode
-
This is a mode string as specified in
fopen(3).
It consists of multiple characters specifying the behavior of the function.
- perms
-
The initial permissions for a newly created file (the actual permission assigned
is further restricted by the process's umask). This is a set a
bitwise-or'd
permissions as specified in
open(2).
This parameter is required by all functions that create files, and is not
implicitly derived from the process's umask as with
fopen(3).
In C++, this value has a default value of read and write for the owner (0600),
and may be omitted.
Direct fopen(3) Replacement Functions
- safe_fopen_wrapper
-
This function is meant to be a direct replacement for
fopen(3).
The behavior of
safe_fopen_wrapper
is based on the value of
mode
at run-time. If
mode
is
r
(open for reading),
safe_fopen_no_create
is called. Otherwise if
mode
is
w
(open for writing) or
a
(open for appending),
safe_fcreate_keep_if_exists
is called.
This function differs from
fopen(3)
if the last component of the file name is a symbolic link, the functions fails
by returning
NULL
with
errno
set to
EEXIST.
- safe_fopen_wrapper_follow
-
This function is the same as
safe_fopen_wrapper
except it attempts to follow a symbolic link if it is a the last component
of the file name and the file exists.
Advanced fopen(3) Replacement Functions
- safe_fopen_no_create
-
This function opens an existing file, and never creates a file if it
does not exist, even with a
mode of a or w.
It also fails if the the last component of the file name is a symbolic link.
- safe_fopen_no_create_follow
-
This function is the same as
safe_fopen_no_create
except it attempts to follow a symbolic link if it is a the last component
of the file name and the file exists.
- safe_fcreate_fail_if_exists
-
This function attempts to create the file. It fails if the file
already exists or the last component of the file name is a symbolic link
by returning
NULL
with
errno
set to
EEXISTS.
- safe_fcreate_keep_if_exists
-
This function opens a file if it exists or creates it if it does not exist.
This function differs from
fopen(3)
in that it fails if the last component is a symbolic link.
- safe_fcreate_keep_if_exists_follow
-
This function is the same as
safe_fcreate_keep_if_exists
except it attempts to follow a symbolic link if it is a the last component
of the file name and the file exists.
- safe_fcreate_replace_if_exists
-
This function always creates a new file, first removing the directory entry
that
fn
refers. The function fails if it cannot perform this task.
Path manipulation detection and warning facility
A path manipulation of
fn
is detected when the file system object referred to by
fn
changes to a different file system object during the operation of these
functions.
If a path manipulation is detected, the functions retry their operations a
set number of times until a path manipulation is not detected. After a set
number of times, they return
NULL
with
errno
set to
EAGAIN.
All of the open replacement functions also support registering a call back
function with
safe_open_register_path_warning_callback(3).
Each time a path manipulation is detected, the callback function is called. If the
callback returns a non-zero result the function immediately fails by
returning
NULL
to the caller.
RETURN VALUE
When successful, these functions return the stream associated with the file at the
path name,
fn,
and
errno
is unchanged. If an error occurs,
NULL
is returned and
errno
is set to an appropriate value.
ERRORS
Depending on the function
errno
may be set any of the possible values that
open,
fdopen,
lstat,
ftruncate,
fstat,
fstat,
and
unlink
may use if they fail. Other than the standard behavior of
fopen(3),
the following errors may occur that would not in
fopen(3).
- EINVAL
-
fn
is
NULL
or
mode
is invalid.
- EEXIST
-
The last component of
fn
is a symbolic link when the file needs to be created in
safe_fopen_wrapper,
safe_fopen_wrapper_follow,
safe_fcreate_fail_if_exists,
safe_fcreate_keep_if_exists and
safe_fcreate_keep_if_exists_follow.
It is also returned in the case of opening an existing file where
the last component of the file name,
fn,
is a symbolic link in the functions
safe_fopen_wrapper,
safe_fopen_no_create and
safe_fcreate_keep_if_exists.
- EPERM
-
If the function
safe_fcreate_replace_if_exists
cannot remove
fn.
- EAGAIN
-
An active attack is occurring on the filename and the function was
unable to safely perform the requested action after repeated attempts.
All functions can return this except
safe_fcreate_fail_if_exists.
The application may retry the function and should eventually succeed.
AUTHOR
James A. Kupsch
SEE ALSO
safe_open_wrapper(3),
fopen(3),
open(2),
fdopen(3)
"How to Open a File and Not Get Hacked",
2008 Third International Conference on Availability, Reliability and
Security (ARES),"
Barcelona, Spain, March 2008,
http://research.cs.wisc.edu/mist/safefile
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- Parameters
-
- Direct fopen(3) Replacement Functions
-
- Advanced fopen(3) Replacement Functions
-
- Path manipulation detection and warning facility
-
- RETURN VALUE
-
- ERRORS
-
- AUTHOR
-
- SEE ALSO
-
This document was created by
man2html,
using the manual pages.
Time: 15:16:58 GMT, August 12, 2011