unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



ckfsec(1)							    ckfsec(1)
Patchkit 3							   Patchkit 3



NAME

  ckfsec - Check file and directory security

SYNOPSIS

  ckfsec [-aeh]	[-i flag...] [-mnsvw] directory	[directory ...]

OPTIONS

  -a  "All" mode; has the same effect as a combination of -e, -v, and -w.

  -e  Explain mode; appends explanatory	text to	lines of the report.

  -h  Displays a usage message.

  -i  Suppresses reporting and checking	as specified by	one or more of the
      following	flags:

      a	      Do not report in the summary whether Access Control Lists
	      (ACLs) are enabled on the	system.

      g	      Do not check for GID mismatches between a	link and its target.

      h	      Do not check for hardlinks (files	with link count	greater	than
	      1).

      m	      Do not check for symbolic	links whose targets do not exist.

      s	      Do not check for world-writable directories on which the sticky
	      bit is not set.

      u	      Do not check for UID mismatches between a	link and its target.

      When specifying multiple flags, do not separate them by using spaces.

  -m  Restricts	processing to files that are in	the same file system as
      directory.

  -n  Ignores file systems mounted through NFS.

  -s  Suppresses the summary lines that	are otherwise included at the end of
      the report. The summary lines report the total number of directories
      that were	processed, the number of world-writable	directories that were
      found, the total number of potential problems that were found, and
      (unless the a flag is specified with -i) whether ACLs are	enabled	on
      the system.

  -v  Verbose mode; includes in	the report all files and directories that
      were checked, not	just those that	have a potential problem.

  -w  Displays in the report the pathnames of all world-writable directories,
      not just those found to be vulnerable.

      If -w is not specified, the total	count of world-writable	directories
      that were	processed is included in summary lines at the end of the
      report (unless -s	is specified to	omit the summary). This	count always
      includes all world-writable directories that were	found, whether or not
      they had the sticky bit set or contained vulnerable files.

OPERANDS

  directory
      The pathname of the top-level directory of the file tree to be checked.
      A	space-separated	list of	multiple pathnames may be specified to check
      more than	one tree.

DESCRIPTION

  The ckfsec tool searches a directory tree for	world-writable directories
  and, in each of these, searches for and reports on the following potential
  vulnerabilities:

    +  A symbolic link whose target has	an owner or group different from the
       link

    +  A symbolic link whose target does not exist

    +  A world-writable	writable directory without the sticky bit set,
       including the specified directory, if applicable

    +  A pipe

    +  A file with a link count	greater	than 1 (a file with "hard links")

  Potential vulnerabilities are	reported in the	following format:

  code type [uid] [gid]	mtime file[ -> target] [explanatory_text]

  In this format:

  code
      Indicates	the problem. Each code value begins with W (warning) or	E
      (error) to indicate the severity,	followed by one	to three of the	fol-
      lowing letters to	indicate why file is potentially vulnerable:

      g	  The GID of a symbolic	link does not match the	GID of its target.
	  This might mean that a nonprivileged user created a symbolic link
	  to point to a	privileged file.

      h	  The file has a link count greater than 1. This might mean that a
	  nonprivileged	user created a hardlink	that specifies a privileged
	  file.

      m	  The symbolic link specifies a	target that does not exist. This
	  might	allow a	nonprivileged user to trick a privileged process into
	  creating a privileged	file. By itself, this condition	is treated as
	  a warning.

      p	  A pipe was found.

      s	  The mode of the directory (if	world-writable)	is missing the sticky
	  bit.

      u	  The UID of a symbolic	link does not match the	UID of its target.
	  This might mean that a nonprivileged user created a symbolic link
	  to point to a	privileged file.

      w	  The directory	is world-writable, which allows	nonprivileged users
	  to create links that can trick privileged programs into writing or
	  overwriting privileged files.	A world-writable directory is
	  reported as a	warning, unless	its sticky bit is not set, in which
	  case the directory is	reported as an error.

  type
      Specifies	what file represents. Type identifiers are as follows:

      d	  Directory

      f	  Regular file (shown only if -v is specified)

      h	  Hardlink

      l	  Symbolic link

      p	  Pipe

  uid Identifies the owner (UID) of file.

  gid Identifies the group (GID) of file.

  mtime
      Specifies	the time that file was last modified.

  file
      Specifies	the pathname of	the file system	object that is potentially
      vulnerable.

  -> target
      If file is a symbolic link, specifies its	target.

  explanatory_text
      Includes additional information about the	potential problem. This	addi-
      tional information is appended to	report lines only if -e	is specified
      on the command line.

  While	traversing the specified directory tree, ckfsec	does not process any
  files	found in secure	subdirectories;	however, the tool does process all
  subdirectories.

  The main body	of the report that the tool produces lists files that are
  potential vulnerabilities. If	the -a or -v option is specified, the body of
  the report lists all directories and files that were processed.

  Unless the -s	option is specified, the report	ends with summary lines	as
  follows:

  Total	directories: count
  World-writable dirs: count
  Total	problems: count
  ACLs_statement

  Unless omitted by the	a flag for the -i option, ACLs_statement is one	of
  the following:

    +  This system has ACLs enabled. ACLs may introduce	additional security
       risks.

       The ckfsec utility does not check ACLs. ACLs, depending on what they
       contain,	can either tighten or relax the	security provided by direc-
       tory or file permissions	alone. This informational message is
       displayed to remind you that ACLs have not been checked and that	you
       should make sure	that no	world-writable directory has an	ACL that
       makes the system	more vulnerable	than it	would be otherwise.

    +  ACLs are	not enabled on this system.

       This message is what you	would expect if	ACLs are not being used	to
       manage system security.

				     Note

       ACL reporting is	not supported for releases prior to Tru64 UNIX Ver-
       sion 5.0A. If the ckfsec	tool is	installed and run on Tru64 UNIX	ver-
       sions prior to Version 5.0A, ACLs_statement is not included in the
       report.

  The tool's report must be checked manually to	determine whether any of the
  files	and directories	identified as vulnerable represent an actual breach
  of system security or	are likely to be used in that way.

EXAMPLES

  The following	example	shows a	report from a ckfsec command that includes no
  options:

       #       ckfsec /
	.
	.
	.
       Ews d 0777    0	  0 2002/02/11 /tmp/one	   [1]
       Eh  h 0644 8941	  0 2002/02/11 /tmp/backdoor  [2]
       Eg  l 0777 8941	  0 2002/02/11 /tmp/one/two/a.txt ->> /home/brians/.profile  [3]
       Eu  l 0777    0	  0 2002/02/11 /tmp/one/two/three/a.txt	->> /tmp/one/two/a.txt  [4]
       Eg  l 0777 8941	  0 2002/02/11	  /tmp/one/two/a.txt ->>	/home/brians/.profile  [5]
       Eug l 0777 8941	 33 2002/02/09 /tmp/README ->> /etc/fstab  [6]
       Wm  l 0777 8941	  0 2002/02/09 /tmp/core ->> /etc/nologin  [7]
	.
	.
	.
       Total directories:      9
       World-writable dirs:    5
       Total problems:	       7
       ACLs are	not enabled on this system.

  In this example, the lines that start	with error codes show the following:

  [1] Reports a	world-writable directory that does not have the	sticky bit
      set. The sticky bit prevents users (other	than the directory owner, the
      file owner, or the superuser) from deleting or renaming files in that
      directory.

  [2] Reports a	file system object (in a world-writable	directory) with	a
      link count greater than 1. The ls	-i command might reveal, for example,
      that backdoor is a hardlink to (has the same i-number as)	the one
      directory.

  [3] Reports a	GID mismatch.

  [4] Reports a	UID mismatch.

  [4], [5]
      Trace links two levels deep; therefore, Line 5 is	indented accordingly.
      These lines show that vulnerabilities are	sometimes masked through mul-
      tiple links between different directories	and files.

  [6] Reports both a UID and GID mismatch. In this case, the link might	cause
      a	privileged file	to be overwritten.

  [7] Reports a	symbolic link to a file	that does not currently	exist. In
      this case, the link target would be a problem if it were created in the
      future.





SEE ALSO

  Commands: dirclean(8)

  Functions: mktemp(3),	safe_open(3)

  Others: sys_attrs_sec(5)