...
Code Block | ||||
---|---|---|---|---|
| ||||
enum { array_max = 100 };
/*
* Program running with elevated privileges where argv[1]
* and argv[2] are supplied by the user
*/
char x[array_max];
FILE *fp = fopen(argv[1], "w");
strncpy(x, argv[2], array_max);
x[array_max - 1] = '\0';
/*
* Write operation to an unintended file such as /etc/passwd
* gets executed
*/
if (fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp) <
sizeof(x)/sizeof(x[0])) {
/* Handle error */
}
|
An attacker can control the value of argv[1]
and consequently access any resource on the file system.
...
Some UNIX-based systems (such as OpenBSD) can restrict file system access by creating a chroot()
jail. The chroot()
jail requires care to implement securely [AA. Bibliography#Wheeler 03Wheeler 2003]. It is achieved by passing a predefined directory name as an argument to chroot()
. The call to chroot()
requires superuser privileges. However, this call does not leave the process inside the jail directory as might be expected. A subsequent chdir()
is required to restrict access to the jail boundaries.
...
Code Block | ||||
---|---|---|---|---|
| ||||
/*
* Make sure that the chroot/jail directory exists within
* the current working directory. Also assign appropriate
* permissions to the directory to restrict access. Close
* all file system descriptors to outside resources lest
* they escape the jail.
*/
if (setuid(0) == -1) {
/* Handle error */
}
if (chroot("chroot/jail") == -1) {
/* Handle error */
}
if (chdir("/") == -1) {
/* Handle error */
}
/* Drop privileges permanently */
if (setgid(getgid()) == -1) {
/* Handle error */
}
if (setuid(getuid()) == -1) {
/* Handle error */
}
/* Perform unprivileged operations */
enum {array_max = 100};
FILE *fp = fopen(argv[1], "w");
char x[array_max];
strncpy(x, argv[2], array_max);
x[array_max - 1] = '\0';
/* Write operation is safe within jail */
if (fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp) <
sizeof(x)/sizeof(x[0])) {
/* Handle error */
}
|
An alternative sequence is to first call chdir("chroot/jail")
and then call chroot(".")
. However, calling chdir("/some/path")
, then chroot("/some/path")
, should be avoided because this sequence may be susceptible to a race condition: an attacker with sufficient privileges can arrange for /some/path
to refer to different directories in the two system calls. Consequently, the program will not have its current working directory set to the new root directory. Using either chdir("/")
after chroot()
or chroot(".")
after chdir()
guarantees that the current working directory will be the same directory as the new root.
...
Bibliography
...