SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 54

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
The POSIX {{setuid()}} function has complex semantics and platform-specific behavior  \[[Open Group 042004|AA. Bibliography#Open Group 04]\].

...

The meaning of "appropriate privileges" varies from platform to platform. For example, on Solaris, appropriate privileges for setuid() means that the PRIV_PROC_SETID privilege is in the effective privilege set of the process. On BSD, it means that the effective user ID (EUID) is zero (that is, the process is running as root) or that uid=geteuid(). On Linux, it means that the process has CAP_SETUID capability and that setuid(geteuid()) will fail if the effective user ID (EUID) is not equal to 0, the real user ID (RUID), or the saved set-user-ID (SSUID).

...

If the program is run as a setuid root program, over time, the state of the UIDs over time might be as followsmight look like the following:

Description

Code

EUID

RUID

SSUID

program startup

 

0

user

0

temporary drop

seteuid(getuid())

user

user

0

restore

seteuid(0)

0

user

0

permanent drop

setuid(getuid())

user

user

user

restore (attacker)

setuid(0) (fails)

user

user

user

...

Wiki Markup
This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped \[[Wheeler 032003|AA. Bibliography#Wheeler 03]\]. If the {{setuid()}} call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.

...

A process may have a number of supplementary group IDs, in addition to its effective group ID, and the supplementary groups can allow privileged access to files. The getgroups() function returns an array which contains the supplementary group IDs and may can also contain the effective group ID. The setgroups() function can set the supplementary group IDs and may can also set the effective group ID on some systems. Using setgroups() usually requires privileges. While POSIX defines the getgroups() function, it does not define setgroups().

Under normal circumstances, setuid() and related calls do not alter the supplementary group IDs. However, a setuid-root program can alter its supplementary group IDs and then relinquish root privileges, in which case, it maintains the supplementary group IDs , but lacks the privilege necessary to relinquish them. Consequently, it is recommended that a program immediately relinquish supplementary group IDs immediately before relinquishing root privileges.

Rule POS36-C. Observe correct revocation order while relinquishing privileges discusses how to drop supplementary group IDs. To ensure that supplementary group IDs are indeed relinquished, you can use the following eql_sups function:

...

Many systems have nonportable privilege capabilities that, if unchecked, can yield privilege escalation vulnerabitilitesvulnerabilities. The following section describes one such capability.

...

Wiki Markup
Processes on Linux have two additional values called {{fsuid}} and {{fsgid}}. These indicate the privileges used when accessing files on the file system. These values normally shadow the effective user ID and effective group ID, but the {{setfsuid()}} and {{setfsgid()}} functions allow them to be changed.  Since changes to the {{euid}} and {{egid}} normally also apply to {{fsuid}} and {{fsgid}}, a program relinquishing root privileges needneeds not be concerned with setting {{fsuid}} or {{fsgid}} to safe values. However, there has been at least one kernel bug that violated this invariant (\[[Chen 022002|AA. Bibliography#Chen 02]\] and \[[Tsafrir 082008|AA. Bibliography#Tsafrir 08]\]). Consequently, a prudent program will check that {{fsuid}} and {{fsgid}} have harmless values after relinquishing privileges.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS37-C

high

probable

low

P18

L1

Automated Detection

...

Tool

Version

Checker

Description

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

SV.FIU.PERMISSIONS

...


SV.USAGERULES.PERMISSIONS

...

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Related Guidelines

ISO/IEC PDTR 24772 "XYO Privilege Sandbox Issues"

MITRE CWE: CWE-250, "Execution with Unnecessary Privileges"

MITRE CWE: CWE-273, "Failure to Check Whether Privileges Were Dropped Successfully"

Bibliography

Wiki Markup
\[[Chen 2002
Wiki Markup
\[[Chen 02|AA. Bibliography#Chen 02]\] "Setuid Demystified"
\[[Dowd 06|AA. Bibliography#Dowd 06]\] Chapter 9, "Unix I: Privileges and Files"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYO Privilege Sandbox Issues"
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 250|http://cwe.mitre.org/data/definitions/250.html], "Execution with Unnecessary Privileges," [CWE ID 273|http://cwe.mitre.org/data/definitions/273.html], "Failure to Check Whether Privileges Were Dropped Successfully"
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 9, "Unix I: Privileges and Files"
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] [{{setuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setuid.html], [{{getuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/getuid.html], [{{seteuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/seteuid.html]
\[[Tsafrir 082008|AA. Bibliography#Tsafrir 08]\] "The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"
\[[Wheeler 032003|AA. Bibliography#Wheeler 03]\] [Section 7.4, "Minimize Privileges"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]

...