fs-mistrust 0.7.10

Ensure that files can only be read or written by trusted users
Documentation 
# fs-mistrust

Check whether file permissions are private.

This crate provides a set of functionality to check the permissions on files
and directories to ensure that they are effectively private—that is, that
they are only readable or writable by trusted[^1] users.

This kind of check can protect your users' data against misconfigurations,
such as cases where they've accidentally made their home directory
world-writable, or where they're using a symlink stored in a directory owned
by another user.

The checks in this crate try to guarantee that, after a path has been shown
to be private, no action by a _non-trusted user_ can make that path private.
It's still possible for a _trusted user_ to change a path after it has been
checked.  Because of that, you may want to use other mechanisms if you are
concerned about time-of-check/time-of-use issues caused by _trusted_ users
altering the filesystem.

Also see the [Limitations](#limitations) section below.

[^1]: we define "trust" here in the computer-security sense of the word: a
     user is "trusted" if they have the opportunity to break our security
     guarantees.  For example, `root` on a Unix environment is "trusted",
     whether you actually trust them or not.

### What's so hard about checking permissions?

Suppose that we want to know whether a given path can be read or modified by
an untrusted user. That's trickier than it sounds:

* Even if the permissions on the file itself are correct, we also need to
  check the permissions on the directory holding it, since they might allow
  an untrusted user to replace the file, or change its permissions.
* Similarly, we need to check the permissions on the parent of _that_
  directory, since they might let an untrusted user replace the directory or
  change _its_ permissions.  (And so on!)
* It can be tricky to define "a trusted user".  On Unix systems, we usually
  say that each user is trusted by themself, and that root (UID 0) is
  trusted.  But it's hard to say which _groups_ are trusted: even if a given
  group contains only trusted users today, there's no OS-level guarantee
  that untrusted users won't be added to that group in the future.
* Symbolic links add another layer of confusion.  If there are any symlinks
  in the path you're checking, then you need to check permissions on the
  directory containing the symlink, and then the permissions on the target
  path, _and all of its ancestors_ too.
* Many programs first canonicalize the path being checked, removing all
  `..`s and symlinks.  That's sufficient for telling whether the _final_
  file can be modified by an untrusted user, but not for whether the _path_
  can be modified by an untrusted user.  If there is a modifiable symlink in
  the middle of the path, or at any stage of the path resolution, somebody
  who can modify that symlink can change which file the path points to.
* Even if you have checked a directory as being writeable only by a trusted
  user, that doesn't mean that the objects _in_ that directory are only
  writeable by trusted users.  Those objects might be symlinks to some other
  (more writeable) place on the file system; or they might be accessible
  with hard links stored elsewhere on the file system.

Different programs try to solve this problem in different ways, often with
very little rationale.  This crate tries to give a reasonable implementation
for file privacy checking and enforcement, along with clear justifications
in its source for why it behaves that way.


### What we actually do

To make sure that every step in the file resolution process is checked, we
emulate that process on our own.  We inspect each component in the provided
path, to see whether it is modifiable by an untrusted user.  If we encounter
one or more symlinks, then we resolve every component of the path added by
those symlink, until we finally reach the target.

In effect, we are emulating `realpath` (or `fs::canonicalize` if you
prefer), and looking at the permissions on every part of the filesystem we
touch in doing so, to see who has permissions to change our target file or
the process that led us to it.

For groups, we use the following heuristic: If there is a group with the
same name as the current user, and the current user belongs to that group,
we assume that group is trusted.  Otherwise, we treat all groups as
untrusted.

### Examples

#### Simple cases

Make sure that a directory is only readable or writeable by us (simple
case):

```rust
use fs_mistrust::Mistrust;
match Mistrust::new().check_directory("/home/itchy/.local/hat-swap") {
    Ok(()) => println!("directory is good"),
    Err(e) => println!("problem with our hat-swap directory: {}", e),
}
```

As above, but create the directory, and its parents if they do not already
exist.

```rust
use fs_mistrust::Mistrust;
match Mistrust::new().make_directory("/home/itchy/.local/hat-swap") {
    Ok(()) => println!("directory exists (or was created without trouble"),
    Err(e) => println!("problem with our hat-swap directory: {}", e),
}
```

#### Configuring a [`Mistrust`]

You can adjust the [`Mistrust`] object to change what it permits:

```rust,no_run
# fn main() -> Result<(), fs_mistrust::Error> {
use fs_mistrust::Mistrust;

let my_mistrust = Mistrust::builder()
    // Assume that our home directory and its parents are all well-configured.
    .ignore_prefix("/home/doze/")
    // Assume that a given group will only contain trusted users (this feature is only
    // available on Unix-like platforms).
    // .trust_group(413)
    .build()?;
# Ok(())
# }
```

See [`Mistrust`] for more options.

#### Using [`Verifier`] for more fine-grained checks

For more fine-grained control over a specific check, you can use the
[`Verifier`] API.  Unlike [`Mistrust`], which generally you'll want to
configure for several requests, the changes in [`Verifier`] generally make
sense only for one request at a time.

```rust,no_run
# fn main() -> Result<(), fs_mistrust::Error> {
use fs_mistrust::Mistrust;
let mistrust = Mistrust::new();

// Require that an object is a regular file; allow it to be world-
// readable.
mistrust
    .verifier()
    .permit_readable()
    .require_file()
    .check("/home/trace/.path_cfg")?;

// Make sure that a directory _and all of its contents_ are private.
// Create the directory if it does not exist.
// Return an error object containing _all_ of the problems discovered.
mistrust
    .verifier()
    .require_directory()
    .check_content()
    .all_errors()
    .make_directory("/home/trace/private_keys/");
# Ok(())
# }
```

See [`Verifier`] for more options.

#### Using [`CheckedDir`] for safety.

You can use the [`CheckedDir`] API to ensure not only that a directory is
private, but that all of your accesses to its contents continue to verify
and enforce _their_ permissions.

```rust,no_run
# fn main() -> Result<(), fs_mistrust::Error> {
use fs_mistrust::{Mistrust, CheckedDir};
use std::fs::{File, OpenOptions};
let dir = Mistrust::new()
    .verifier()
    .secure_dir("/Users/clover/riddles")?;

// You can use the CheckedDir object to access files and directories.
// All of these must be relative paths within the path you used to
// build the CheckedDir.
dir.make_directory("timelines")?;
let file = dir.open("timelines/vault-destroyed.md",
    OpenOptions::new().write(true).create(true))?;
// (... use file...)
# Ok(())
# }
```

### Limitations

As noted above, this crate only checks whether a path can be changed by
_non-trusted_ users.  After the path has been checked, a _trusted_ user can
still change its permissions.  (For example, the user could make their home
directory world-writable.)  This crate does not try to defend against _that
kind_ of time-of-check/time-of-use issue.

We currently assume a fairly vanilla Unix environment: we'll tolerate other
systems, but we don't actually look at the details of any of these:
   * Windows security (ACLs, SecurityDescriptors, etc)
   * SELinux capabilities
   * POSIX (and other) ACLs.

We use a somewhat inaccurate heuristic when we're checking the permissions
of items _inside_ a target directory (using [`Verifier::check_content`] or
[`CheckedDir`]): we continue to forbid untrusted-writeable directories and
files, but we still allow readable ones, even if we insisted that the target
directory itself was required to to be unreadable.  This is too permissive
in the case of readable objects with hard links: if there is a hard link to
the file somewhere else, then an untrusted user can read it.  It is also too
restrictive in the case of writeable objects _without_ hard links: if
untrusted users have no path to those objects, they can't actually write
them.

On Windows, we accept all file permissions and owners.

We don't check for mount-points and the privacy of filesystem devices
themselves.  (For example, we don't distinguish between our local
administrator and the administrator of a remote filesystem. We also don't
distinguish between local filesystems and insecure networked filesystems.)

This code has not been audited for correct operation in a setuid
environment; there are almost certainly security holes in that case.

This is fairly new software, and hasn't been audited yet.

All of the above issues are considered "good to fix, if practical".

### Acknowledgements

The list of checks performed here was inspired by the lists from OpenSSH's
[safe_path], GnuPG's [check_permissions], and Tor's [check_private_dir]. All
errors are my own.

[safe_path]:
    https://github.com/openssh/openssh-portable/blob/master/misc.c#L2177
[check_permissions]:
    https://github.com/gpg/gnupg/blob/master/g10/gpg.c#L1551
[check_private_dir]:
    https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/lib/fs/dir.c#L70

License: MIT OR Apache-2.0