SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 28

changes.mady.by.user Shaun Hedrick

Saved on

compared with

New Version 29

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a jail aims at isolating a program from the rest of the file system. It is only applicable to programs that do not need to continually maintain superuser status. The central idea is to create a jail sandbox so that entities that the program does not need to access under normal operation are made invisibleinaccessible. This makes it much harder to abuse a potential flaw that could otherwise lead to unconstrained system compromise, and consequently functions as a defense-in-depth strategy. A jail may consist of world viewable programs that require fewer resources to execute than those that possibly exist on that system. Jails are only useful when there is no way to elevate privileges in the event of program failure.

Additionally, care must be taken to ensure that all the required resources (such as libraries, files and so on) are replicated within the jail directory and no reference is made to other parts of the file system from within this directory. It is also advisable to administer restrictive read/write permissions on the jail directories and resources based on the program's privilege requirements. Although, creating jails is an effective security measure when used correctly, it is not a surrogate for additional security best practicescompliance with other rules and recommendations in this standard.

Non-Compliant Code Example

...

Code Block
bgColor#ffcccc
/*
 * Program running with elevated privileges where argv[1] 
 * and argv[2] are supplied by the user 
 */

char x[100];
FILE *fp = fopen(argv[1], "w");

strncpy(x, argv[2], 100);
x[100] = '\0';

/* 
 * Write operation to an unintended file like /etc/passwd 
 * gets executed  
 */
fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp);

...

Compliant Solution (*NIX)

Wiki Markup
Some UNIX -based systems (such as OpenBSD) encouragecan restrictingrestrict file system access by recommending the creation ofcreating a {{chroot()}} jail. The {{chroot}} jail requires care to implement securely \[[Wheeler 03|AA. C References#Wheeler 03]\]. This is achieved by passing a predefined directory name as an argument to {{chroot()}}. The call to {{chroot()}} requires superuser privileges and as a result the program should be set-uid root. However, this call does not _leave_ the process inside the jail directory as one would expect. The {{chdir()}} call that follows does just this and is indispensable when access is to be restricted to within the jail boundaries.

...