SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 37

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
The principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job \[[Saltzer 741974|AA. Bibliography#Saltzer 74], [Saltzer 751975|AA. Bibliography#Saltzer 75]\]. The Build Security In website \[[DHS 062006|AA. Bibliography#DHS 06]\] provides additional definitions of this principle.  Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code.

...

Consider a custom service that must bind to a well-known port (below 1024). To avoid malicious entities from hijacking client connections, the kernel imposes a condition such so that only the superuser can use the bind() system call to bind to these ports.

This noncompliant code example is configured as setuid-superuser. It calls bind() and later forks out a child to perform the bookkeeping tasks. The program continues to run with superuser privileges even after the bind() operation has been carried out.

Code Block
bgColor#ffcccc

int establish(void) {
  struct sockaddr_in sa; /* listening socket's address */
  int s; /* listening socket */

  /*  Fill up the structure with address and port number  */

  sa.sin_port = htons(portnum);

  /*  Other system calls like socket()  */

  if (bind(s, (struct sockaddr *)&sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */
  }

  /* Return */
}

int main(void) {
   int s = establish();

  /*  Block with accept() until a client connects  */

   switch (fork()) {
      case -1 :  /* Error, clean up and quit */
      case  0 :  /* This is the child, handle the client */
      default :  /* This is the parent, continue blocking */
   }
}

...

The program must follow the principle of least privilege while carefully separating the binding and bookkeeping tasks. To minimize the chance of a flaw in the program from compromising the superuser-level account, it should drop superuser privileges as soon as the privileged operations are completed. In the code shown below, privileges are permanently dropped as soon as the bind() operation is carried out. The code also ensures privileges may not be regained after being permanently dropped, as per in rule POS37-C. Ensure that privilege relinquishment is successful.

...

Wiki Markup
[CVE-2009-2031|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2031] results from a violation of this recommendation. OpenSolaris in smbfs snv_84 through snv_110 sets permissions based on mount point options, and not actual user information (obtained from the {{getuid()}} and {{getgid()}} functions). An attacker can exploit this to achieve higher permissions. Also, in a certain initialization mode, the code grants read, write, and execute permissions to users other than the owner, which can be exploited to make files world readable \[[xorl 2009|http://xorl.wordpress.com/2009/06/14/opensolaris-cifssmb-invalid-file-flags/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC TR 24772 "XYN Privilege Management"

MITRE CWE: CWE-250, "Execution with Unnecessary Privileges"

MITRE CWE: CWE-272, "Least Privilege Violation"

Bibliography

Wiki Markup
\[[DHS 062006|AA. Bibliography#DHS 06]\] [Least Privilege |https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html]
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYN Privilege Management"
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 250|http://cwe.mitre.org/data/definitions/250.html], "Execution with Unnecessary Privileges," [CWE ID 272|http://cwe.mitre.org/data/definitions/272.html], "Least Privilege Violation"
\[[Saltzer 74Saltzer 1974|AA. Bibliography#Saltzer 74]\]
\[[Saltzer 751975|AA. Bibliography#Saltzer 75]\]
\[[Wheeler 032003|AA. Bibliography#Wheeler 03]\] [Section 7.4, "Minimize Privileges"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]
\[[xorl 2009|AA. Bibliography#xorl 2009]\] ["OpenSolaris CIFS/SMB Invalid File Flags"|http://xorl.wordpress.com/2009/06/14/opensolaris-cifssmb-invalid-file-flags/]

...