Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Additionally, care must be taken to ensure that all the required resources (libraries, files, and so on) are replicated within the jail directory , and that no reference is made to other parts of the file system from within this directory. It is also advisable to administer restrictive read/write permissions on the jail directories and resources based on the basis of the program's privilege requirements. Although creating jails is an effective security measure when used correctly, it is not a surrogate for compliance with the other rules and recommendations in this standard.

...

A security flaw exists in this noncompliant code example resulting from the absence of proper canonicalization measures on the file path. This allows an attacker to traverse the file system and possibly write to a file of the attacker's choice , with the privileges of the vulnerable program. For example, it may be possible to overwrite the password file (such as the /etc/passwd, common to many POSIX-based systems) or a device file, such as the mouse, which in turn can aid further exploitation or cause a denial of service to occur.

Code Block
bgColor#ffcccc
langc
enum { array_max = 100 };

/*
 * Program running with elevated privileges where argv[1]
 * and argv[2] are supplied by the user
 */

char x[array_max];
FILE *fp = fopen(argv[1], "w");

strncpy(x, argv[2], array_max);
x[array_max - 1] = '\0';

/*
 * Write operation to an unintended file such likeas /etc/passwd
 * gets executed
 */
if (fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp) <
    sizeof(x)/sizeof(x[0])) {
  /* Handle Errorerror */
}

An attacker can control the value of argv[1] and consequently access any resource on the file system.

...

Some UNIX-based systems (such as OpenBSD) can restrict file system access by creating a chroot() jail. The chroot() jail requires care to implement securely [Wheeler 2003]. This It is achieved by passing a predefined directory name as an argument to chroot(). The call to chroot() requires superuser privileges. However, this call does not leave the process inside the jail directory as one would expectmight be expected. A subsequent chdir() is required to restrict access to the jail boundaries.

...

An alternative sequence is to first call chdir("chroot/jail") first and then call chroot("."). However, calling chdir("/some/path"), then chroot("/some/path"), should be avoided because this sequence may be susceptible to a race condition: an attacker with sufficient privileges can arrange for /some/path to refer to different directories in the two system calls. Consequently, the program will not have its current working directory set to the new root directory. Using either chdir("/") after chroot() or chroot(".") after chdir() guarantees that the current working directory will be the same directory as the new root.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

Bibliography

...

...