[checkpath] / chkpath.1

.\" -*-nroff-*-
.TH chkpath 1 "6 April 1999" "Local tools"
.SH NAME
chkpath \- check a path string for security
.SH SYNOPSIS
.B chkpath
.RB [ \-vqstp ]
.RB [ \-g
.IR group ]
.RI [ path ...]
.SH USAGE
The
.B chkpath
command checks one or more path strings (i.e., lists of directories
separated by colons) for security.  If no path strings are given, the
value of the
.B PATH
environment variable is examined.
.PP
Each directory in turn is broken into its constituent parts and every
step which must be made through the filesystem to reach that directory
from the root is scrutinized for vulnerabilities.  The checks made
against each directory and symbolic link along the way are as follows:
.IP "   1."
No step should be a directory which is world-writable unless its sticky
bit is set, and it's not the final step.
.IP "   2."
No step should be a directory which is group-writable unless its sticky
bit is set, and it's not the final step.  (However, see the
.B \-t
option below.)
.IP "   3."
No step should be a directory owned by another user (other than root).
.IP "   4."
No step should be a symbolic link inside a sticky directory and owned by
another user.
.PP
The author is not aware of any weaknesses in this ruleset.  The
objective is that nobody other than the user and the superuser should be
able to add or change the set of files available within the directories
of the path(s).
.SS Options
The following command line options are available:
.TP
.B "\-h, \-\-help"
Displays a relatively verbose message describing how to use
.BR chkpath .
.TP
.B "\-V, \-\-version"
Displays
.BR chkpath 's
version number.
.TP
.B "\-u, \-\-usage"
Displays a very terse usage summary.
.TP
.B "\-v, \-\-verbose"
Makes
.B chkpath
more verbose about what it's doing.  This option has a cumulative
effect, so put more in for more verbosity.  Note that verbose doesn't
mean the same as interesting.  The default is to report problems with
directories and system errors.
.TP
.B "\-g, \-\-group " group
Consider members of
.I group
to be trustworthy:
.B chkpath
won't warn about a directory being group-writable if its gid matches
.IR group .
The
.I group
may be a group name (looked up in
.BR /etc/group )
or a numeric gid in decimal.
.TP
.B "\-q, \-\-quiet"
Makes
.B chkpath
less verbose about what it's doing.  This option, like
.BR \-v ,
has a cumulative effect.  Each
.B \-q
cancels out a
.B \-v
option.
.TP
.B "\-s, \-\-sticky"
Modifies the ruleset slightly so that any step through the filesystem is
OK, even if world- or group-writable (but not owned by someone else), as
long as the directory's sticky bit is set.  The default is that sticky
directories are considered safe only if they're not the final step.
Turning this option on isn't recommended: if you use a sticky directory
in your path then other people can add malicious commands whose names
are common typos of standard ones.
.TP
.B "\-t, \-\-trust\-group"
Modifies the ruleset slightly so that
.B chkpath
doesn't warn about directories group-owned by groups you're a member
of.  In other words, it trusts your fellow group-members
.IR "in their capacity as group-owners only" :
.B chkpath
will still warn about directories owned by people in your groups.
.TP
.B "\-p, \-\-print"
Writes on standard output a colon-separated list of the directories
which
.B chkpath
considered `safe'.  This can be used to filter out unsafe directories in
an automatic way:
.RS 10
.nf
.ft B
.sp 1
PATH=`chkpath -qqp`
.ft R
.fi
.RE
.SH BUGS
None known.
.SH SEE ALSO
.BR tmpdir (1),
.BR checkpath (3).
.SH AUTHOR
Mark Wooding (mdw@nsict.org).
Commit	Line	Data
19cb3d11	1	.\" --nroff--
efa7a97b	2	.TH chkpath 1 "6 April 1999" "Local tools"
	3	.SH NAME
	4	chkpath \- check a path string for security
	5	.SH SYNOPSIS
	6	.B chkpath
	7	.RB [ \-vqstp ]
c25f05b8 MW	8	.RB [ \-g
c25f05b8 MW	9	.IR group ]
efa7a97b	10	.RI [ path ...]
	11	.SH USAGE
	12	The
	13	.B chkpath
	14	command checks one or more path strings (i.e., lists of directories
	15	separated by colons) for security. If no path strings are given, the
	16	value of the
	17	.B PATH
	18	environment variable is examined.
	19	.PP
19cb3d11	20	Each directory in turn is broken into its constituent parts and every
efa7a97b	21	step which must be made through the filesystem to reach that directory
	22	from the root is scrutinized for vulnerabilities. The checks made
	23	against each directory and symbolic link along the way are as follows:
4a1f00c4	24	.IP " 1."
efa7a97b	25	No step should be a directory which is world-writable unless its sticky
efa7a97b	26	bit is set, and it's not the final step.
4a1f00c4	27	.IP " 2."
efa7a97b	28	No step should be a directory which is group-writable unless its sticky
	29	bit is set, and it's not the final step. (However, see the
	30	.B \-t
	31	option below.)
4a1f00c4	32	.IP " 3."
efa7a97b	33	No step should be a directory owned by another user (other than root).
4a1f00c4	34	.IP " 4."
efa7a97b	35	No step should be a symbolic link inside a sticky directory and owned by
	36	another user.
	37	.PP
	38	The author is not aware of any weaknesses in this ruleset. The
	39	objective is that nobody other than the user and the superuser should be
	40	able to add or change the set of files available within the directories
	41	of the path(s).
1c5f5498	42	.SS Options
efa7a97b	43	The following command line options are available:
	44	.TP
	45	.B "\-h, \-\-help"
	46	Displays a relatively verbose message describing how to use
	47	.BR chkpath .
	48	.TP
	49	.B "\-V, \-\-version"
	50	Displays
263d6e0d	51	.BR chkpath 's
efa7a97b	52	version number.
	53	.TP
	54	.B "\-u, \-\-usage"
	55	Displays a very terse usage summary.
	56	.TP
	57	.B "\-v, \-\-verbose"
	58	Makes
	59	.B chkpath
	60	more verbose about what it's doing. This option has a cumulative
	61	effect, so put more in for more verbosity. Note that verbose doesn't
	62	mean the same as interesting. The default is to report problems with
	63	directories and system errors.
	64	.TP
c25f05b8 MW	65	.B "\-g, \-\-group " group
	66	Consider members of
	67	.I group
	68	to be trustworthy:
	69	.B chkpath
	70	won't warn about a directory being group-writable if its gid matches
	71	.IR group .
	72	The
	73	.I group
	74	may be a group name (looked up in
	75	.BR /etc/group )
	76	or a numeric gid in decimal.
	77	.TP
efa7a97b	78	.B "\-q, \-\-quiet"
	79	Makes
	80	.B chkpath
	81	less verbose about what it's doing. This option, like
	82	.BR \-v ,
	83	has a cumulative effect. Each
	84	.B \-q
	85	cancels out a
	86	.B \-v
	87	option.
	88	.TP
	89	.B "\-s, \-\-sticky"
	90	Modifies the ruleset slightly so that any step through the filesystem is
	91	OK, even if world- or group-writable (but not owned by someone else), as
	92	long as the directory's sticky bit is set. The default is that sticky
	93	directories are considered safe only if they're not the final step.
	94	Turning this option on isn't recommended: if you use a sticky directory
	95	in your path then other people can add malicious commands whose names
	96	are common typos of standard ones.
	97	.TP
	98	.B "\-t, \-\-trust\-group"
	99	Modifies the ruleset slightly so that
	100	.B chkpath
	101	doesn't warn about directories group-owned by groups you're a member
	102	of. In other words, it trusts your fellow group-members
1c5f5498	103	.IR "in their capacity as group-owners only" :
efa7a97b	104	.B chkpath
	105	will still warn about directories owned by people in your groups.
	106	.TP
	107	.B "\-p, \-\-print"
	108	Writes on standard output a colon-separated list of the directories
	109	which
	110	.B chkpath
	111	considered `safe'. This can be used to filter out unsafe directories in
	112	an automatic way:
	113	.RS 10
	114	.nf
	115	.ft B
	116	.sp 1
	117	PATH=`chkpath -qqp`
	118	.ft R
	119	.fi
	120	.RE
	121	.SH BUGS
	122	None known.
	123	.SH SEE ALSO
d7b5ee0c	124	.BR tmpdir (1),
d7b5ee0c	125	.BR checkpath (3).
efa7a97b	126	.SH AUTHOR
efa7a97b	127	Mark Wooding (mdw@nsict.org).