LPM: Testing for File Trustworthiness on NT
David Hempy
hempy at ket.org
Thu Mar 23 22:38:48 CST 2000
Here's some food for thought:
From the Cookbook...
>8.17. Testing a File for Trustworthiness
>
>Problem
>
>You want to read from a file, perhaps because it has configuration
>information. You only want to use the file if it can't be written to (or
>perhaps not even be read from) by anyone else than its owner. [...] If the
>file is writable by someone other than the owner or is owned by someone
>other than the current user or the superuser, it shouldn't be trusted.
I have a slight variation. I am generating web pages in a perl
program. I do not want to stomp on someone's handcrafted pride and joy
that might have the same name (such as index.html). This is a certain
eventuality in our environment of cohabitating generated and
manually-created web pages.
Fortunately, the solution is the same.
Unfortunately, the Cookbook's solution doesn't work under NT, with its
vision beyond user-group-world.
My solution:
I use the same mentality of Cookbook 8:17, using Win32::FileSecurity.
After generating the file I set the permissions such that I
(Win32::LoginName, to be precise) have full access, and Everyone has Read
access:
>## Takes one parameter, a file name.
>## Grants FULL access to the file for the current user.
>## Changes permissions for any others listed to READ access.
>## Returns true on success.
>sub MakeFileSafe {
> my $file = shift;
>
> return 0 unless -e $file;
>
> my $me = Win32::DomainName . '\\' . Win32::LoginName;
> my (%perms, $name, $mask);
> my $readonly_access = Win32::FileSecurity::MakeMask( qw( READ
> ) );
> my $full_access = Win32::FileSecurity::MakeMask( qw( FULL
> ) );
>
>
> unless (Win32::FileSecurity::Get($file, \%perms) ) {
> warn "Can't Win32::FileSecurity::Get($file)\n<br>\n";
> return 0;
> }
>
>
> foreach my $user (keys %perms) {
> $perms{$user} = $readonly_access;
> }
>
> $perms{$me} = $full_access;
>
> unless (Win32::FileSecurity::Set($file, \%perms) ) {
> warn "Can't Win32::FileSecurity::Set($file)\n<br>\n";
> return 0;
> }
>
>
> return 1;
>}
When testing to see if I can overwrite an existing file, I check to see
that these permissions are still set. If so, I can be reasonably sure that
I am only overwriting my own work. If not, I complain and ask the user to
move or delete the offending file if they really want the target file
generated.
>## Returns true if no other users can write to a file.
>## Takes one parameter, a file name.
>## note: Returns true if the file does not exist.
>sub FileIsSafe {
> my $file = shift;
>
> return 1 unless -e $file; ## No File is a Safe File.
>
> my $me = Win32::DomainName . '\\' . Win32::LoginName;
> my (%perms, $name, $mask);
> my $readonly_access = Win32::FileSecurity::MakeMask( qw( READ
> ) );
> my $full_access = Win32::FileSecurity::MakeMask( qw( FULL
> ) );
>
> Win32::FileSecurity::Get( $file, \%perms ) ;
>
> while( ($name, $mask) = each %perms ) {
> #print "\n$name: $mask\n\t";
> #print "Read Rights\n\t" if ($mask ==
> $readonly_access);
> #print "Full Rights\n\t" if ($mask ==
> $full_access);
>
> unless
> ( $mask == $readonly_access
> || $name eq $me
> || $name =~ /\bUnknown\b/ ### This
> appears some times with access...not sure why.
> ) {
> #print "HEY! $name has more than
> read-only access!\n";
> #Win32::FileSecurity::EnumerateRights(
> $mask, \@rights ) ;
> #print join( "\n\t", @rights ), "\n";
> return 0;
> }#else {
> # print "Cool... $name has appropriate
> access!\n";
> #}
>
> }
>
> return 1;
>}
One benefit of this (the inspiration for it, actually) is that users cannot
(readily) edit the generated html files. If they ever *think* they do,
they actually need to:
1. Edit the source data,
2. Edit the template, or
3. Con me into fixing a bug/featurelack in the program.
"Editing the generated file" will never belong on this list. Doing so will
cause headaches for the user the next time the file is generated. When
they come to me asking permission to edit the output file, I will direct
them to the appropriate action from the list above. ;-)
-dave
--
David Hempy
Internet Database Administrator
Kentucky Educational Television
<hempy at ket.org> -- (606)258-7164 -- (800)333-9764
More information about the Lexington-pm
mailing list