fs-mistrust: check whether file permissions are private.This crate provides a set of functionality to check the permissions on files and directories to ensure that they are effectively private—that is, that they are only readable or writable by trusted[^1] users.
This kind of check can protect your users' data against misconfigurations, such as cases where they've accidentally made their home directory world-writable, or where they're using a symlink stored in a directory owned by another user.
The checks in this crate try to guarantee that, after a path has been shown to be private, no action by a non-trusted user can make that path private. It's still possible for a trusted user to change a path after it has been checked. Because of that, you may want to use other mechanisms if you are concerned about time-of-check/time-of-use issues caused by trusted users altering the filesystem.
Also see the Limitations section below.
user is "trusted" if they have the opportunity to break our security
guarantees. For example, `root` on a Unix environment is "trusted",
whether you actually trust them or not.
Suppose that we want to know whether a given path can be read or modified by an untrusted user. That's trickier than it sounds:
..s and symlinks. That's sufficient for telling whether the final
file can be modified by an untrusted user, but not for whether the path
can be modified by an untrusted user. If there is a modifiable symlink in
the middle of the path, or at any stage of the path resolution, somebody
who can modify that symlink can change which file the path points to.Different programs try to solve this problem in different ways, often with very little rationale. This crate tries to give a reasonable implementation for file privacy checking and enforcement, along with clear justifications in its source for why it behaves that way.
To make sure that every step in the file resolution process is checked, we emulate that process on our own. We inspect each component in the provided path, to see whether it is modifiable by an untrusted user. If we encounter one or more symlinks, then we resolve every component of the path added by those symlink, until we finally reach the target.
In effect, we are emulating realpath (or fs::canonicalize if you
prefer), and looking at the permissions on every part of the filesystem we
touch in doing so, to see who has permissions to change our target file or
the process that led us to it.
For groups, we use the following heuristic: If there is a group with the same name as the current user, and the current user belongs to that group, we assume that group is trusted. Otherwise, we treat all groups as untrusted.
Make sure that a directory is only readable or writeable by us (simple case):
rust
use fs_mistrust::Mistrust;
match Mistrust::new().check_directory("/home/itchy/.local/hat-swap") {
Ok(()) => println!("directory is good"),
Err(e) => println!("problem with our hat-swap directory: {}", e),
}
As above, but create the directory, and its parents if they do not already exist.
rust
use fs_mistrust::Mistrust;
match Mistrust::new().make_directory("/home/itchy/.local/hat-swap") {
Ok(()) => println!("directory exists (or was created without trouble"),
Err(e) => println!("problem with our hat-swap directory: {}", e),
}
Mistrust]You can adjust the [Mistrust] object to change what it permits:
```rust use fs_mistrust::Mistrust;
let mut my_mistrust = Mistrust::new();
// Assume that our home directory and its parents are all well-configured. mymistrust.ignoreprefix("/home/doze/")?;
// Assume that a given group will only contain trusted users. mymistrust.trustgroup_id(413); ```
See [Mistrust] for more options.
Verifier] for more fine-grained checksFor more fine-grained control over a specific check, you can use the
[Verifier] API. Unlike [Mistrust], which generally you'll want to
configure for several requests, the changes in [Verifier] generally make
sense only for one request at a time.
```rust use fs_mistrust::Mistrust; let mistrust = Mistrust::new();
// Require that an object is a regular file; allow it to be world- // readable. mistrust .verifier() .permitreadable() .requirefile() .check("/home/trace/.path_cfg")?;
// Make sure that a directory and all of its contents are private. // Create the directory if it does not exist. // Return an error object containing all of the problems discovered. mistrust .verifier() .requiredirectory() .checkcontent() .allerrors() .makedirectory("/home/trace/private_keys/"); ```
See [Verifier] for more options.
CheckedDir] for safety.You can use the [CheckedDir] API to ensure not only that a directory is
private, but that all of your accesses to its contents continue to verify
and enforce their permissions.
```rust use fsmistrust::{Mistrust, CheckedDir}; use std::fs::{File, OpenOptions}; let dir = Mistrust::new() .verifier() .securedir("/Users/clover/riddles")?;
// You can use the CheckedDir object to access files and directories. // All of these must be relative paths within the path you used to // build the CheckedDir. dir.make_directory("timelines")?; let file = dir.open("timelines/vault-destroyed.md", OpenOptions::new().write(true).create(true))?; // (... use file...) ```
As noted above, this crate only checks whether a path can be changed by non-trusted users. After the path has been checked, a trusted user can still change its permissions. (For example, the user could make their home directory world-writable.) This crate does not try to defend against that kind of time-of-check/time-of-use issue.
We currently assume a fairly vanilla Unix environment: we'll tolerate other systems, but we don't actually look at the details of any of these: * Windows security (ACLs, SecurityDescriptors, etc) * SELinux capabilities * POSIX (and other) ACLs.
On Windows, we accept all file permissions and owners.
We don't check for mount-points and the privacy of filesystem devices themselves. (For example, we don't distinguish between our local administrator and the administrator of a remote filesystem. We also don't distinguish between local filesystems and insecure networked filesystems.)
This code has not been audited for correct operation in a setuid environment; there are almost certainly security holes in that case.
This is fairly new software, and hasn't been audited yet.
All of the above issues are considered "good to fix, if practical".
The list of checks performed here was inspired by the lists from OpenSSH's [safepath], GnuPG's [checkpermissions], and Tor's [checkprivatedir]. All errors are my own.
License: MIT OR Apache-2.0