Wiki Markup setuid()}} function has complex semantics and platform-specific behavior \[ [Open Group 2004|AA. Bibliography#Open Group 04]\].
If the process has appropriate privileges,
setuid()shall set the real user ID, effective user ID, and the saved set-user-ID of the calling process touid.If the process does not have appropriate privileges, but
uidis equal to the real user ID or the saved set-user-ID,setuid()shall set the effective user ID touid; the real user ID and saved set-user-ID shall remain unchanged.
...
Description | Code | EUID | RUID | SSUID |
|---|---|---|---|---|
program startup |
| 0 | user | 0 |
temporary drop | | user | user | 0 |
restore | | user | user | 0 |
permanent drop | | user | user | 0 |
restore (attacker) | | 0 | 0 | 0 |
Compliant Solution
...
This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped \[ [Wheeler 2003|AA. Bibliography#Wheeler 03]\]. If the {{setuid()}} call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Code intended to run with elevated privileges */
/* Temporarily drop privileges */
if (seteuid(getuid()) != 0) {
/* Handle error */
}
/* Code intended to run with lower privileges */
if (need_more_privileges) {
/* Restore Privileges */
if (seteuid(0) != 0) {
/* Handle error */
}
/* Code intended to run with elevated privileges */
}
/* ... */
/* Permanently drop privileges */
if (setuid(getuid()) != 0) {
/* Handle error */
}
if (setuid(0) != -1) {
/* Privileges can be restored, handle error */
}
/*
* Code intended to run with lower privileges;
* attacker cannot regain elevated privileges
*/
|
...
File System Access Privileges (Linux)
...
Processes on Linux have two additional values called {{fsuid}} and {{fsgid}}. These indicate the privileges used when accessing files on the file system. These values normally shadow the effective user ID and effective group ID, but the {{setfsuid()}} and {{setfsgid()}} functions allow them to be changed. Since changes to the {{euid}} and {{egid}} normally also apply to {{fsuid}} and {{fsgid}}, a program relinquishing root privileges needs not be concerned with setting {{fsuid}} or {{fsgid}} to safe values. However, there has been at least one kernel bug that violated this invariant (\[[Chen 2002|AA. Bibliography#Chen 02]\] and \[ [Tsafrir 2008|AA. Bibliography#Tsafrir 08]\]). Consequently, a prudent program will check that {{fsuid}} and {{fsgid}} have harmless values after relinquishing privileges.
Risk Assessment
If privilege relinquishment conditions are left unchecked, any flaw in the program may lead to unintended system compromise corresponding to the more privileged user or group account.
...
Tool | Version | Checker | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
...
MITRE CWE: CWE-273, "Failure to Check Whether Privileges Were Dropped Successfully"
Bibliography
...
\[[Chen 2002|AA. Bibliography#Chen 02] \] "Setuid Demystified"
\[
[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 9, "Unix I: Privileges and Files"
\[
[Open Group 2004|AA. Bibliography#Open Group 04]\] [{{setuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setuid.html], [{{getuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/getuid.html], [{{seteuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/seteuid.html]
\[
[Tsafrir 2008|AA. Bibliography#Tsafrir 08]\] "The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"
\[
[Wheeler 2003|AA. Bibliography#Wheeler 03] \] [Section 7.4, "Minimize Privileges"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]
...