mdw@git.distorted.org.uk Git - checkpath/blob - chkpath.1

   1 .\" -*-nroff-*-
   2 .TH chkpath 1 "6 April 1999" "Local tools"
   3 .SH NAME
   4 chkpath \- check a path string for security
   5 .SH SYNOPSIS
   6 .B chkpath
   7 .RB [ \-vqstp ]
   8 .RI [ path ...]
   9 .SH USAGE
  10 The
  11 .B chkpath
  12 command checks one or more path strings (i.e., lists of directories
  13 separated by colons) for security.  If no path strings are given, the
  14 value of the
  15 .B PATH
  16 environment variable is examined.
  17 .PP
  18 Each directory in turn is broken into its constituent parts and every
  19 step which must be made through the filesystem to reach that directory
  20 from the root is scrutinized for vulnerabilities.  The checks made
  21 against each directory and symbolic link along the way are as follows:
  22 .IP "   1."
  23 No step should be a directory which is world-writable unless its sticky
  24 bit is set, and it's not the final step.
  25 .IP "   2."
  26 No step should be a directory which is group-writable unless its sticky
  27 bit is set, and it's not the final step.  (However, see the
  28 .B \-t
  29 option below.)
  30 .IP "   3."
  31 No step should be a directory owned by another user (other than root).
  32 .IP "   4."
  33 No step should be a symbolic link inside a sticky directory and owned by
  34 another user.
  35 .PP
  36 The author is not aware of any weaknesses in this ruleset.  The
  37 objective is that nobody other than the user and the superuser should be
  38 able to add or change the set of files available within the directories
  39 of the path(s).
  40 .SS Options
  41 The following command line options are available:
  42 .TP
  43 .B "\-h, \-\-help"
  44 Displays a relatively verbose message describing how to use
  45 .BR chkpath .
  46 .TP
  47 .B "\-V, \-\-version"
  48 Displays
  49 .BR chkpath 's
  50 version number.
  51 .TP
  52 .B "\-u, \-\-usage"
  53 Displays a very terse usage summary.
  54 .TP
  55 .B "\-v, \-\-verbose"
  56 Makes
  57 .B chkpath
  58 more verbose about what it's doing.  This option has a cumulative
  59 effect, so put more in for more verbosity.  Note that verbose doesn't
  60 mean the same as interesting.  The default is to report problems with
  61 directories and system errors.
  62 .TP
  63 .B "\-q, \-\-quiet"
  64 Makes
  65 .B chkpath
  66 less verbose about what it's doing.  This option, like
  67 .BR \-v ,
  68 has a cumulative effect.  Each
  69 .B \-q
  70 cancels out a
  71 .B \-v
  72 option.
  73 .TP
  74 .B "\-s, \-\-sticky"
  75 Modifies the ruleset slightly so that any step through the filesystem is
  76 OK, even if world- or group-writable (but not owned by someone else), as
  77 long as the directory's sticky bit is set.  The default is that sticky
  78 directories are considered safe only if they're not the final step.
  79 Turning this option on isn't recommended: if you use a sticky directory
  80 in your path then other people can add malicious commands whose names
  81 are common typos of standard ones.
  82 .TP
  83 .B "\-t, \-\-trust\-group"
  84 Modifies the ruleset slightly so that
  85 .B chkpath
  86 doesn't warn about directories group-owned by groups you're a member
  87 of.  In other words, it trusts your fellow group-members
  88 .IR "in their capacity as group-owners only" :
  89 .B chkpath
  90 will still warn about directories owned by people in your groups.
  91 .TP
  92 .B "\-p, \-\-print"
  93 Writes on standard output a colon-separated list of the directories
  94 which
  95 .B chkpath
  96 considered `safe'.  This can be used to filter out unsafe directories in
  97 an automatic way:
  98 .RS 10
  99 .nf
 100 .ft B
 101 .sp 1
 102 PATH=`chkpath -qqp`
 103 .ft R
 104 .fi
 105 .RE
 106 .SH BUGS
 107 None known.
 108 .SH SEE ALSO
 109 .BR tmpdir (1),
 110 .BR checkpath (3).
 111 .SH AUTHOR
 112 Mark Wooding (mdw@nsict.org).