X-Git-Url: https://git.distorted.org.uk/~mdw/checkpath/blobdiff_plain/efa7a97bf01444f8bfdf25f488932912d3710974..b8eb35c13263163e9849ee3fbdc1bc8bd5c5167b:/chkpath.1 diff --git a/chkpath.1 b/chkpath.1 index 5742f50..181cc09 100644 --- a/chkpath.1 +++ b/chkpath.1 @@ -1,9 +1,12 @@ +.\" -*-nroff-*- .TH chkpath 1 "6 April 1999" "Local tools" .SH NAME chkpath \- check a path string for security .SH SYNOPSIS .B chkpath .RB [ \-vqstp ] +.RB [ \-g +.IR group ] .RI [ path ...] .SH USAGE The @@ -14,21 +17,21 @@ value of the .B PATH environment variable is examined. .PP -Each directory in turn is broken into its consitituent parts and every +Each directory in turn is broken into its constituent parts and every step which must be made through the filesystem to reach that directory from the root is scrutinized for vulnerabilities. The checks made against each directory and symbolic link along the way are as follows: -.IP 1. +.IP " 1." No step should be a directory which is world-writable unless its sticky bit is set, and it's not the final step. -.IP 2. +.IP " 2." No step should be a directory which is group-writable unless its sticky bit is set, and it's not the final step. (However, see the .B \-t option below.) -.IP 3. +.IP " 3." No step should be a directory owned by another user (other than root). -.IP 4. +.IP " 4." No step should be a symbolic link inside a sticky directory and owned by another user. .PP @@ -36,7 +39,7 @@ The author is not aware of any weaknesses in this ruleset. The objective is that nobody other than the user and the superuser should be able to add or change the set of files available within the directories of the path(s). -.SS OPTIONS +.SS Options The following command line options are available: .TP .B "\-h, \-\-help" @@ -45,7 +48,7 @@ Displays a relatively verbose message describing how to use .TP .B "\-V, \-\-version" Displays -.BR chkpath 's +.BR chkpath 's version number. .TP .B "\-u, \-\-usage" @@ -59,6 +62,19 @@ effect, so put more in for more verbosity. Note that verbose doesn't mean the same as interesting. The default is to report problems with directories and system errors. .TP +.B "\-g, \-\-group " group +Consider members of +.I group +to be trustworthy: +.B chkpath +won't warn about a directory being group-writable if its gid matches +.IR group . +The +.I group +may be a group name (looked up in +.BR /etc/group ) +or a numeric gid in decimal. +.TP .B "\-q, \-\-quiet" Makes .B chkpath @@ -84,7 +100,7 @@ Modifies the ruleset slightly so that .B chkpath doesn't warn about directories group-owned by groups you're a member of. In other words, it trusts your fellow group-members -.IR "in their capacity as group-owners only" . +.IR "in their capacity as group-owners only" : .B chkpath will still warn about directories owned by people in your groups. .TP @@ -105,6 +121,7 @@ PATH=`chkpath -qqp` .SH BUGS None known. .SH SEE ALSO -.BR tmpdir (1). +.BR tmpdir (1), +.BR checkpath (3). .SH AUTHOR Mark Wooding (mdw@nsict.org).