| 1 | .TH chkpath 1 "6 April 1999" "Local tools" |
| 2 | .SH NAME |
| 3 | chkpath \- check a path string for security |
| 4 | .SH SYNOPSIS |
| 5 | .B chkpath |
| 6 | .RB [ \-vqstp ] |
| 7 | .RI [ path ...] |
| 8 | .SH USAGE |
| 9 | The |
| 10 | .B chkpath |
| 11 | command checks one or more path strings (i.e., lists of directories |
| 12 | separated by colons) for security. If no path strings are given, the |
| 13 | value of the |
| 14 | .B PATH |
| 15 | environment variable is examined. |
| 16 | .PP |
| 17 | Each directory in turn is broken into its consitituent parts and every |
| 18 | step which must be made through the filesystem to reach that directory |
| 19 | from the root is scrutinized for vulnerabilities. The checks made |
| 20 | against each directory and symbolic link along the way are as follows: |
| 21 | .IP 1. |
| 22 | No step should be a directory which is world-writable unless its sticky |
| 23 | bit is set, and it's not the final step. |
| 24 | .IP 2. |
| 25 | No step should be a directory which is group-writable unless its sticky |
| 26 | bit is set, and it's not the final step. (However, see the |
| 27 | .B \-t |
| 28 | option below.) |
| 29 | .IP 3. |
| 30 | No step should be a directory owned by another user (other than root). |
| 31 | .IP 4. |
| 32 | No step should be a symbolic link inside a sticky directory and owned by |
| 33 | another user. |
| 34 | .PP |
| 35 | The author is not aware of any weaknesses in this ruleset. The |
| 36 | objective is that nobody other than the user and the superuser should be |
| 37 | able to add or change the set of files available within the directories |
| 38 | of the path(s). |
| 39 | .SS OPTIONS |
| 40 | The following command line options are available: |
| 41 | .TP |
| 42 | .B "\-h, \-\-help" |
| 43 | Displays a relatively verbose message describing how to use |
| 44 | .BR chkpath . |
| 45 | .TP |
| 46 | .B "\-V, \-\-version" |
| 47 | Displays |
| 48 | .BR chkpath 's |
| 49 | version number. |
| 50 | .TP |
| 51 | .B "\-u, \-\-usage" |
| 52 | Displays a very terse usage summary. |
| 53 | .TP |
| 54 | .B "\-v, \-\-verbose" |
| 55 | Makes |
| 56 | .B chkpath |
| 57 | more verbose about what it's doing. This option has a cumulative |
| 58 | effect, so put more in for more verbosity. Note that verbose doesn't |
| 59 | mean the same as interesting. The default is to report problems with |
| 60 | directories and system errors. |
| 61 | .TP |
| 62 | .B "\-q, \-\-quiet" |
| 63 | Makes |
| 64 | .B chkpath |
| 65 | less verbose about what it's doing. This option, like |
| 66 | .BR \-v , |
| 67 | has a cumulative effect. Each |
| 68 | .B \-q |
| 69 | cancels out a |
| 70 | .B \-v |
| 71 | option. |
| 72 | .TP |
| 73 | .B "\-s, \-\-sticky" |
| 74 | Modifies the ruleset slightly so that any step through the filesystem is |
| 75 | OK, even if world- or group-writable (but not owned by someone else), as |
| 76 | long as the directory's sticky bit is set. The default is that sticky |
| 77 | directories are considered safe only if they're not the final step. |
| 78 | Turning this option on isn't recommended: if you use a sticky directory |
| 79 | in your path then other people can add malicious commands whose names |
| 80 | are common typos of standard ones. |
| 81 | .TP |
| 82 | .B "\-t, \-\-trust\-group" |
| 83 | Modifies the ruleset slightly so that |
| 84 | .B chkpath |
| 85 | doesn't warn about directories group-owned by groups you're a member |
| 86 | of. In other words, it trusts your fellow group-members |
| 87 | .IR "in their capacity as group-owners only" . |
| 88 | .B chkpath |
| 89 | will still warn about directories owned by people in your groups. |
| 90 | .TP |
| 91 | .B "\-p, \-\-print" |
| 92 | Writes on standard output a colon-separated list of the directories |
| 93 | which |
| 94 | .B chkpath |
| 95 | considered `safe'. This can be used to filter out unsafe directories in |
| 96 | an automatic way: |
| 97 | .RS 10 |
| 98 | .nf |
| 99 | .ft B |
| 100 | .sp 1 |
| 101 | PATH=`chkpath -qqp` |
| 102 | .ft R |
| 103 | .fi |
| 104 | .RE |
| 105 | .SH BUGS |
| 106 | None known. |
| 107 | .SH SEE ALSO |
| 108 | .BR tmpdir (1). |
| 109 | .SH AUTHOR |
| 110 | Mark Wooding (mdw@nsict.org). |