Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added parasoft

...

If the program is run as a setuid root program, over time, the state of the UIDs might look like the following:

Description

Code

EUID

RUID

SSUID

Program startup

 


0

User

0

Temporary drop

seteuid(getuid())

User

User

0

Restore

seteuid(0)

0

User

0

Permanent drop

setuid(getuid())

User

User

User

Restore (attacker)

setuid(0) (fails)

User

User

User

If the program fails to restore privileges, it will be unable to permanently drop them later:

Description

Code

EUID

RUID

SSUID

program startup

 


0

User

0

Temporary drop

seteuid(getuid())

User

User

0

Restore

seteuid(0)

User

User

0

Permanent drop

setuid(getuid())

User

User

0

Restore (attacker)

setuid(0)

0

0

0

Compliant Solution

This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped [Wheeler 2003]. If the setuid() call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.

...

If privilege relinquishment conditions are left unchecked, any flaw in the program may lead to unintended system compromise corresponding to the more privileged user or group account.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS37-C

high

probable

low

P18

L1

Automated Detection

Tool

Version

Checker

Description

Klocwork
Include Page
Klocwork_V
Klocwork_V

SV.FIU.PROCESS_VARIANTS
SV.USAGERULES.PERMISSIONS

 


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

SECURITY-44Implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

ISO/IEC TR 24772Privilege Sandbox Issues [XYO]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-273, Failure to check whether privileges were dropped successfully2017-07-07: CERT: Exact

Bibliography

[Chen 2002]"Setuid Demystified"
[Dowd 2006]Chapter 9, "Unix I: Privileges and Files"
[Open Group 2004]setuid()
getuid()
seteuid()
[Tsafrir 2008]"The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"
[Wheeler 2003]Section 7.4, "Minimize Privileges"

...


...