sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

[metadata]
id = "POS05-C"
type = "recommendation"
category = "POS"
number = 5
title = "Limit access to files by creating a jail"
description = """
Creating a jail isolates a program from the rest of the file system. The idea is
to create a sandbox, so entities the program does not need to access under
normal operation are made inaccessible. This makes it much harder to abuse any
vulnerability that can otherwise lead to unconstrained system compromise and
consequently functions as a defense-in-depth strategy. A jail may consist of
world-viewable programs that require fewer resources to execute than those that
exist on that system. Jails are useful only when there is no way to elevate
privileges in the event of program failure. Additionally, care must be taken to
ensure that all the required resources (libraries, files, and so on) are
replicated within the jail directory and that no reference is made to other
parts of the file system from within this directory. It is also advisable to
administer restrictive read/write permissions on the jail directories and
resources on the basis of the program's privilege requirements. Although
creating jails is an effective security measure when used correctly, it is not a
surrogate for compliance with the other rules and recommendations in this
standard. A security flaw exists in this noncompliant code example resulting
from the absence of proper canonicalization measures on the file path. This
allows an attacker to traverse the file system and possibly write to a file of
the attacker's choice with the privileges of the vulnerable program. For
example, it may be possible to overwrite the password file (such as
the/etc/passwd, common to many POSIX-based systems) or a device file, such as
the mouse, which in turn can aid further exploitation or cause a denial of
service to occur.
"""
severity = "Medium"
likelihood = "Probable"
priority = "P4"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "May 20, 2025"

[rules.cert_c.POS05-C]
enabled = true

[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/POS05-C.+Limit+access+to+files+by+creating+a+jail"