...
| Code Block | ||
|---|---|---|
| ||
int establish(void) {
/* This will store the listening socket's address */
struct sockaddr_in sa;
/* This will hold the listening socket */
int s;
/* Fill up the structure with address and port number */
sa.sin_port = htons(portnum);
/* Other system calls like socket() */
if (bind(s, (struct sockaddr *)&sa,
sizeof(struct sockaddr_in)) < 0) {
/* Perform cleanup */
}
/* Return */
}
int main(void) {
int s = establish();
/* Block with accept() until a client connects */
switch (fork()) {
case -1 : /* Error, clean up and quit */
case 0 : /* This is the child, handle the client */
default : /* This is the parent, continue blocking */
}
}
|
If a vulnerability is discovered exploited in the main body of the program that allows an attacker to execute arbitrary code, this malicious code will run with elevated privileges.
...
The program must follow the principle of least privilege while carefully separating the binding and bookkeeping tasks. To minimize the chance of a flaw in the program from compromising the superuser-level account, it must should drop superuser privileges as soon as the privileged operations are completed. In the code shown below, privileges are permanently dropped permanently as soon as the bind() operation is carried out. The code also ensures privileges may not be regained after being permanently dropped, as per POS37-C. Ensure that privilege relinquishment is successful.
| Code Block | ||
|---|---|---|
| ||
/* Code with elevated privileges */
int establish(void) {
/*struct sockaddr_in This will store thesa; /* listening socket's address */
struct sockaddr_in sa;
/* This will hold theint s; /* listening socket's address */
int s;
/* Fill up the structure with address and port number */
sa.sin_port = htons(portnum);
/* Other system calls like socket() */
if (bind(s, (struct sockaddr *)&sa,
sizeof(struct sockaddr_in)) < 0) {
/* Perform cleanup */
}
/* Return */
}
int main(void) {
int s = establish();
/* Drop privileges permanently */
if (setuid(getuid()) == -1) {
/* Handle the error */
}
if (setuid(0) != -1) {
/* Privileges can be restored, handle error */
}
/* Block with accept() until a client connects */
switch (fork()) {
case -1: /* Error, clean up and quit */
case 0: /* Close all open file descriptors
* This is the child, handle the client
*/
default: /* This is the parent, continue blocking */
}
}
|
...
Failure to follow the principle of least privilege may leave the program susceptible to a wide range of attacks that may result in full system compromise. Privilege escalation is possible in the worst caseallow exploits to execute with elevated privileges.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
POS02-C | high | likely | high | P9 | L2 |
...