[checkpath] / chkpath.1

.\" -*-nroff-*-
.TH chkpath 1 "6 April 1999" "Local tools"
.SH NAME
chkpath \- check a path string for security
.SH SYNOPSIS
.B chkpath
.RB [ \-vqstp ]
.RI [ path ...]
.SH USAGE
The
.B chkpath
command checks one or more path strings (i.e., lists of directories
separated by colons) for security.  If no path strings are given, the
value of the
.B PATH
environment variable is examined.
.PP
Each directory in turn is broken into its constituent parts and every
step which must be made through the filesystem to reach that directory
from the root is scrutinized for vulnerabilities.  The checks made
against each directory and symbolic link along the way are as follows:
.IP "   1."
No step should be a directory which is world-writable unless its sticky
bit is set, and it's not the final step.
.IP "   2."
No step should be a directory which is group-writable unless its sticky
bit is set, and it's not the final step.  (However, see the
.B \-t
option below.)
.IP "   3."
No step should be a directory owned by another user (other than root).
.IP "   4."
No step should be a symbolic link inside a sticky directory and owned by
another user.
.PP
The author is not aware of any weaknesses in this ruleset.  The
objective is that nobody other than the user and the superuser should be
able to add or change the set of files available within the directories
of the path(s).
.SS Options
The following command line options are available:
.TP
.B "\-h, \-\-help"
Displays a relatively verbose message describing how to use
.BR chkpath .
.TP
.B "\-V, \-\-version"
Displays
.BR chkpath 's 
version number.
.TP
.B "\-u, \-\-usage"
Displays a very terse usage summary.
.TP
.B "\-v, \-\-verbose"
Makes
.B chkpath
more verbose about what it's doing.  This option has a cumulative
effect, so put more in for more verbosity.  Note that verbose doesn't
mean the same as interesting.  The default is to report problems with
directories and system errors.
.TP
.B "\-q, \-\-quiet"
Makes
.B chkpath
less verbose about what it's doing.  This option, like
.BR \-v ,
has a cumulative effect.  Each
.B \-q
cancels out a
.B \-v
option.
.TP
.B "\-s, \-\-sticky"
Modifies the ruleset slightly so that any step through the filesystem is
OK, even if world- or group-writable (but not owned by someone else), as
long as the directory's sticky bit is set.  The default is that sticky
directories are considered safe only if they're not the final step.
Turning this option on isn't recommended: if you use a sticky directory
in your path then other people can add malicious commands whose names
are common typos of standard ones.
.TP
.B "\-t, \-\-trust\-group"
Modifies the ruleset slightly so that
.B chkpath
doesn't warn about directories group-owned by groups you're a member
of.  In other words, it trusts your fellow group-members
.IR "in their capacity as group-owners only" :
.B chkpath
will still warn about directories owned by people in your groups.
.TP
.B "\-p, \-\-print"
Writes on standard output a colon-separated list of the directories
which
.B chkpath
considered `safe'.  This can be used to filter out unsafe directories in
an automatic way:
.RS 10
.nf
.ft B
.sp 1
PATH=`chkpath -qqp`
.ft R
.fi
.RE
.SH BUGS
None known.
.SH SEE ALSO
.BR tmpdir (1),
.BR checkpath (3).
.SH AUTHOR
Mark Wooding (mdw@nsict.org).
Commit	Line	Data
19cb3d11	1	.\" --nroff--
efa7a97b	2	.TH chkpath 1 "6 April 1999" "Local tools"
	3	.SH NAME
	4	chkpath \- check a path string for security
	5	.SH SYNOPSIS
	6	.B chkpath
	7	.RB [ \-vqstp ]
	8	.RI [ path ...]
	9	.SH USAGE
	10	The
	11	.B chkpath
	12	command checks one or more path strings (i.e., lists of directories
	13	separated by colons) for security. If no path strings are given, the
	14	value of the
	15	.B PATH
	16	environment variable is examined.
	17	.PP
19cb3d11	18	Each directory in turn is broken into its constituent parts and every
efa7a97b	19	step which must be made through the filesystem to reach that directory
	20	from the root is scrutinized for vulnerabilities. The checks made
	21	against each directory and symbolic link along the way are as follows:
4a1f00c4	22	.IP " 1."
efa7a97b	23	No step should be a directory which is world-writable unless its sticky
efa7a97b	24	bit is set, and it's not the final step.
4a1f00c4	25	.IP " 2."
efa7a97b	26	No step should be a directory which is group-writable unless its sticky
	27	bit is set, and it's not the final step. (However, see the
	28	.B \-t
	29	option below.)
4a1f00c4	30	.IP " 3."
efa7a97b	31	No step should be a directory owned by another user (other than root).
4a1f00c4	32	.IP " 4."
efa7a97b	33	No step should be a symbolic link inside a sticky directory and owned by
	34	another user.
	35	.PP
	36	The author is not aware of any weaknesses in this ruleset. The
	37	objective is that nobody other than the user and the superuser should be
	38	able to add or change the set of files available within the directories
	39	of the path(s).
1c5f5498	40	.SS Options
efa7a97b	41	The following command line options are available:
	42	.TP
	43	.B "\-h, \-\-help"
	44	Displays a relatively verbose message describing how to use
	45	.BR chkpath .
	46	.TP
	47	.B "\-V, \-\-version"
	48	Displays
	49	.BR chkpath 's
	50	version number.
	51	.TP
	52	.B "\-u, \-\-usage"
	53	Displays a very terse usage summary.
	54	.TP
	55	.B "\-v, \-\-verbose"
	56	Makes
	57	.B chkpath
	58	more verbose about what it's doing. This option has a cumulative
	59	effect, so put more in for more verbosity. Note that verbose doesn't
	60	mean the same as interesting. The default is to report problems with
	61	directories and system errors.
	62	.TP
	63	.B "\-q, \-\-quiet"
	64	Makes
	65	.B chkpath
	66	less verbose about what it's doing. This option, like
	67	.BR \-v ,
	68	has a cumulative effect. Each
	69	.B \-q
	70	cancels out a
	71	.B \-v
	72	option.
	73	.TP
	74	.B "\-s, \-\-sticky"
	75	Modifies the ruleset slightly so that any step through the filesystem is
	76	OK, even if world- or group-writable (but not owned by someone else), as
	77	long as the directory's sticky bit is set. The default is that sticky
	78	directories are considered safe only if they're not the final step.
	79	Turning this option on isn't recommended: if you use a sticky directory
	80	in your path then other people can add malicious commands whose names
	81	are common typos of standard ones.
	82	.TP
	83	.B "\-t, \-\-trust\-group"
	84	Modifies the ruleset slightly so that
	85	.B chkpath
	86	doesn't warn about directories group-owned by groups you're a member
	87	of. In other words, it trusts your fellow group-members
1c5f5498	88	.IR "in their capacity as group-owners only" :
efa7a97b	89	.B chkpath
	90	will still warn about directories owned by people in your groups.
	91	.TP
	92	.B "\-p, \-\-print"
	93	Writes on standard output a colon-separated list of the directories
	94	which
	95	.B chkpath
	96	considered `safe'. This can be used to filter out unsafe directories in
	97	an automatic way:
	98	.RS 10
	99	.nf
	100	.ft B
	101	.sp 1
	102	PATH=`chkpath -qqp`
	103	.ft R
	104	.fi
	105	.RE
	106	.SH BUGS
	107	None known.
	108	.SH SEE ALSO
d7b5ee0c	109	.BR tmpdir (1),
d7b5ee0c	110	.BR checkpath (3).
efa7a97b	111	.SH AUTHOR
efa7a97b	112	Mark Wooding (mdw@nsict.org).