mdw@git.distorted.org.uk Git - checkpath/blob - chkpath.1

   1 .TH chkpath 1 "6 April 1999" "Local tools"
   2 .SH NAME
   3 chkpath \- check a path string for security
   4 .SH SYNOPSIS
   5 .B chkpath
   6 .RB [ \-vqstp ]
   7 .RI [ path ...]
   8 .SH USAGE
   9 The
  10 .B chkpath
  11 command checks one or more path strings (i.e., lists of directories
  12 separated by colons) for security.  If no path strings are given, the
  13 value of the
  14 .B PATH
  15 environment variable is examined.
  16 .PP
  17 Each directory in turn is broken into its consitituent parts and every
  18 step which must be made through the filesystem to reach that directory
  19 from the root is scrutinized for vulnerabilities.  The checks made
  20 against each directory and symbolic link along the way are as follows:
  21 .IP 1.
  22 No step should be a directory which is world-writable unless its sticky
  23 bit is set, and it's not the final step.
  24 .IP 2.
  25 No step should be a directory which is group-writable unless its sticky
  26 bit is set, and it's not the final step.  (However, see the
  27 .B \-t
  28 option below.)
  29 .IP 3.
  30 No step should be a directory owned by another user (other than root).
  31 .IP 4.
  32 No step should be a symbolic link inside a sticky directory and owned by
  33 another user.
  34 .PP
  35 The author is not aware of any weaknesses in this ruleset.  The
  36 objective is that nobody other than the user and the superuser should be
  37 able to add or change the set of files available within the directories
  38 of the path(s).
  39 .SS OPTIONS
  40 The following command line options are available:
  41 .TP
  42 .B "\-h, \-\-help"
  43 Displays a relatively verbose message describing how to use
  44 .BR chkpath .
  45 .TP
  46 .B "\-V, \-\-version"
  47 Displays
  48 .BR chkpath 's
  49 version number.
  50 .TP
  51 .B "\-u, \-\-usage"
  52 Displays a very terse usage summary.
  53 .TP
  54 .B "\-v, \-\-verbose"
  55 Makes
  56 .B chkpath
  57 more verbose about what it's doing.  This option has a cumulative
  58 effect, so put more in for more verbosity.  Note that verbose doesn't
  59 mean the same as interesting.  The default is to report problems with
  60 directories and system errors.
  61 .TP
  62 .B "\-q, \-\-quiet"
  63 Makes
  64 .B chkpath
  65 less verbose about what it's doing.  This option, like
  66 .BR \-v ,
  67 has a cumulative effect.  Each
  68 .B \-q
  69 cancels out a
  70 .B \-v
  71 option.
  72 .TP
  73 .B "\-s, \-\-sticky"
  74 Modifies the ruleset slightly so that any step through the filesystem is
  75 OK, even if world- or group-writable (but not owned by someone else), as
  76 long as the directory's sticky bit is set.  The default is that sticky
  77 directories are considered safe only if they're not the final step.
  78 Turning this option on isn't recommended: if you use a sticky directory
  79 in your path then other people can add malicious commands whose names
  80 are common typos of standard ones.
  81 .TP
  82 .B "\-t, \-\-trust\-group"
  83 Modifies the ruleset slightly so that
  84 .B chkpath
  85 doesn't warn about directories group-owned by groups you're a member
  86 of.  In other words, it trusts your fellow group-members
  87 .IR "in their capacity as group-owners only" .
  88 .B chkpath
  89 will still warn about directories owned by people in your groups.
  90 .TP
  91 .B "\-p, \-\-print"
  92 Writes on standard output a colon-separated list of the directories
  93 which
  94 .B chkpath
  95 considered `safe'.  This can be used to filter out unsafe directories in
  96 an automatic way:
  97 .RS 10
  98 .nf
  99 .ft B
 100 .sp 1
 101 PATH=`chkpath -qqp`
 102 .ft R
 103 .fi
 104 .RE
 105 .SH BUGS
 106 None known.
 107 .SH SEE ALSO
 108 .BR tmpdir (1).
 109 .SH AUTHOR
 110 Mark Wooding (mdw@nsict.org).