[checkpath] / chkpath.1

.TH chkpath 1 "6 April 1999" "Local tools"
.SH NAME
chkpath \- check a path string for security
.SH SYNOPSIS
.B chkpath
.RB [ \-vqstp ]
.RI [ path ...]
.SH USAGE
The
.B chkpath
command checks one or more path strings (i.e., lists of directories
separated by colons) for security.  If no path strings are given, the
value of the
.B PATH
environment variable is examined.
.PP
Each directory in turn is broken into its consitituent parts and every
step which must be made through the filesystem to reach that directory
from the root is scrutinized for vulnerabilities.  The checks made
against each directory and symbolic link along the way are as follows:
.IP 1.
No step should be a directory which is world-writable unless its sticky
bit is set, and it's not the final step.
.IP 2.
No step should be a directory which is group-writable unless its sticky
bit is set, and it's not the final step.  (However, see the
.B \-t
option below.)
.IP 3.
No step should be a directory owned by another user (other than root).
.IP 4.
No step should be a symbolic link inside a sticky directory and owned by
another user.
.PP
The author is not aware of any weaknesses in this ruleset.  The
objective is that nobody other than the user and the superuser should be
able to add or change the set of files available within the directories
of the path(s).
.SS OPTIONS
The following command line options are available:
.TP
.B "\-h, \-\-help"
Displays a relatively verbose message describing how to use
.BR chkpath .
.TP
.B "\-V, \-\-version"
Displays
.BR chkpath 's 
version number.
.TP
.B "\-u, \-\-usage"
Displays a very terse usage summary.
.TP
.B "\-v, \-\-verbose"
Makes
.B chkpath
more verbose about what it's doing.  This option has a cumulative
effect, so put more in for more verbosity.  Note that verbose doesn't
mean the same as interesting.  The default is to report problems with
directories and system errors.
.TP
.B "\-q, \-\-quiet"
Makes
.B chkpath
less verbose about what it's doing.  This option, like
.BR \-v ,
has a cumulative effect.  Each
.B \-q
cancels out a
.B \-v
option.
.TP
.B "\-s, \-\-sticky"
Modifies the ruleset slightly so that any step through the filesystem is
OK, even if world- or group-writable (but not owned by someone else), as
long as the directory's sticky bit is set.  The default is that sticky
directories are considered safe only if they're not the final step.
Turning this option on isn't recommended: if you use a sticky directory
in your path then other people can add malicious commands whose names
are common typos of standard ones.
.TP
.B "\-t, \-\-trust\-group"
Modifies the ruleset slightly so that
.B chkpath
doesn't warn about directories group-owned by groups you're a member
of.  In other words, it trusts your fellow group-members
.IR "in their capacity as group-owners only" .
.B chkpath
will still warn about directories owned by people in your groups.
.TP
.B "\-p, \-\-print"
Writes on standard output a colon-separated list of the directories
which
.B chkpath
considered `safe'.  This can be used to filter out unsafe directories in
an automatic way:
.RS 10
.nf
.ft B
.sp 1
PATH=`chkpath -qqp`
.ft R
.fi
.RE
.SH BUGS
None known.
.SH SEE ALSO
.BR tmpdir (1).
.SH AUTHOR
Mark Wooding (mdw@nsict.org).
Commit	Line	Data
efa7a97b	1	.TH chkpath 1 "6 April 1999" "Local tools"
	2	.SH NAME
	3	chkpath \- check a path string for security
	4	.SH SYNOPSIS
	5	.B chkpath
	6	.RB [ \-vqstp ]
	7	.RI [ path ...]
	8	.SH USAGE
	9	The
	10	.B chkpath
	11	command checks one or more path strings (i.e., lists of directories
	12	separated by colons) for security. If no path strings are given, the
	13	value of the
	14	.B PATH
	15	environment variable is examined.
	16	.PP
	17	Each directory in turn is broken into its consitituent parts and every
	18	step which must be made through the filesystem to reach that directory
	19	from the root is scrutinized for vulnerabilities. The checks made
	20	against each directory and symbolic link along the way are as follows:
	21	.IP 1.
	22	No step should be a directory which is world-writable unless its sticky
	23	bit is set, and it's not the final step.
	24	.IP 2.
	25	No step should be a directory which is group-writable unless its sticky
	26	bit is set, and it's not the final step. (However, see the
	27	.B \-t
	28	option below.)
	29	.IP 3.
	30	No step should be a directory owned by another user (other than root).
	31	.IP 4.
	32	No step should be a symbolic link inside a sticky directory and owned by
	33	another user.
	34	.PP
	35	The author is not aware of any weaknesses in this ruleset. The
	36	objective is that nobody other than the user and the superuser should be
	37	able to add or change the set of files available within the directories
	38	of the path(s).
	39	.SS OPTIONS
	40	The following command line options are available:
	41	.TP
	42	.B "\-h, \-\-help"
	43	Displays a relatively verbose message describing how to use
	44	.BR chkpath .
	45	.TP
	46	.B "\-V, \-\-version"
	47	Displays
	48	.BR chkpath 's
	49	version number.
	50	.TP
	51	.B "\-u, \-\-usage"
	52	Displays a very terse usage summary.
	53	.TP
	54	.B "\-v, \-\-verbose"
	55	Makes
	56	.B chkpath
	57	more verbose about what it's doing. This option has a cumulative
	58	effect, so put more in for more verbosity. Note that verbose doesn't
	59	mean the same as interesting. The default is to report problems with
	60	directories and system errors.
	61	.TP
	62	.B "\-q, \-\-quiet"
	63	Makes
	64	.B chkpath
65	less verbose about what it's doing. This option, like
66	.BR \-v ,
67	has a cumulative effect. Each
68	.B \-q
69	cancels out a
70	.B \-v
71	option.
72	.TP
73	.B "\-s, \-\-sticky"
74	Modifies the ruleset slightly so that any step through the filesystem is
75	OK, even if world- or group-writable (but not owned by someone else), as
76	long as the directory's sticky bit is set. The default is that sticky
77	directories are considered safe only if they're not the final step.
78	Turning this option on isn't recommended: if you use a sticky directory
79	in your path then other people can add malicious commands whose names
80	are common typos of standard ones.
81	.TP
82	.B "\-t, \-\-trust\-group"
83	Modifies the ruleset slightly so that
84	.B chkpath
85	doesn't warn about directories group-owned by groups you're a member
86	of. In other words, it trusts your fellow group-members
87	.IR "in their capacity as group-owners only" .
88	.B chkpath
89	will still warn about directories owned by people in your groups.
90	.TP
91	.B "\-p, \-\-print"
92	Writes on standard output a colon-separated list of the directories
93	which
94	.B chkpath
95	considered `safe'. This can be used to filter out unsafe directories in
96	an automatic way:
97	.RS 10
98	.nf
99	.ft B
100	.sp 1
101	PATH=`chkpath -qqp`
102	.ft R
103	.fi
104	.RE
105	.SH BUGS
106	None known.
107	.SH SEE ALSO
108	.BR tmpdir (1).
109	.SH AUTHOR
110	Mark Wooding (mdw@nsict.org).