...
If the program is run as a setuid root program, over time, the state of the UIDs might look like the following:
Description | Code | EUID | RUID | SSUID |
---|---|---|---|---|
Program startup |
0 | User | 0 | ||
Temporary drop |
| User | User | 0 |
Restore |
| 0 | User | 0 |
Permanent drop |
| User | User | User |
Restore (attacker) |
| User | User | User |
If the program fails to restore privileges, it will be unable to permanently drop them later:
Description | Code | EUID | RUID | SSUID |
---|---|---|---|---|
program startup |
0 | User | 0 | ||
Temporary drop |
| User | User | 0 |
Restore |
| User | User | 0 |
Permanent drop |
| User | User | 0 |
Restore (attacker) |
| 0 | 0 | 0 |
Compliant Solution
This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped [Wheeler 2003]. If the setuid()
call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.
...
If privilege relinquishment conditions are left unchecked, any flaw in the program may lead to unintended system compromise corresponding to the more privileged user or group account.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
POS37-C | high | probable | low | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | |||||
---|---|---|---|---|---|---|---|---|
Klocwork |
|
Parasoft C/C++test |
| SECURITY-44 | Implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TR 24772 | Privilege Sandbox Issues [XYO] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-273, Failure to check whether privileges were dropped successfully | 2017-07-07: CERT: Exact |
Bibliography
[Chen 2002] | "Setuid Demystified" |
[Dowd 2006] | Chapter 9, "Unix I: Privileges and Files" |
[Open Group 2004] | setuid() getuid() seteuid() |
[Tsafrir 2008] | "The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'" |
[Wheeler 2003] | Section 7.4, "Minimize Privileges" |
...
...