SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Shaun Hedrick

Saved on

compared with

New Version 17

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
The principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job \[[Saltzer 74|AA. C References#Saltzer 74], [Saltzer 75|AA. C References#Saltzer 75]\]. The buildBuild securitySecurity inIn website \[[DHS 06|AA. C References#DHS 06]\] provides additional definitions of this principle.  Executing with minimal privileges mitigates against exploitation, in case a vulnerability is discovered in the code.

...

Consider a custom service that that needs to must bind to a well-known port (below 1024). To avoid malicious entities from hijacking client connections, the kernel imposes a condition such that only the superuser can use the bind() system call to bind to these ports.

This non-compliant code example is configured as setuid-superuser. It calls bind() and later forks out a child to perform the bookkeeping tasks. The program continues to run with superuser privileges even after the bind() operation has been carried out.

Code Block
bgColor#ffcccc

int establish(void) {
  /*  This will store the listening socket's address  */
  struct sockaddr_in sa; 

  /*  This will hold the listening socket  */
  int s;                              

  /*  Fill up the structure with address and port number  */

  sa.sin_port = htons(portnum);

  /*  Other system calls like socket()  */

  if (bind(s, (struct sockaddr *)&sa, 
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */  
  }  

  /* Return */
}

int main(void) {
   int s = establish();

  /*  Block with accept() until a client connects  */
   
   switch (fork()) {
      case -1 :  /* Error, clean up and quit */
      case  0 :  /* This is the child, handle the client */
      default :  /* This is the parent, continue blocking */
   }
}

A vulnerability (if discovered) in the main body of the program will allow an attacker to execute arbitrary code. This malicious code will run with elevated privileges.

...

The program must follow the principle of least privilege while carefully separating the binding and bookkeeping tasks. To minimize the chance of a flaw in the program from compromising the superuser-level account, it must drop superuser privileges as soon as the privileged operations are completed. In the code shown below, privileges are dropped permanently as soon as the bind() operation is carried out. The code also ensures privileges may not be regained after being permanently dropped, as per POS37-C. Ensure that privilege relinquishment is successful.

Code Block
bgColor#ccccff


/*  Code with elevated privileges  */

int establish(void) {
  /*  This will store the listening socket's address  */
  struct sockaddr_in sa;
 
  /*  This will hold the listening socket  */
  int s;                              

  /* Fill up the structure with address and port number */

  sa.sin_port = htons(portnum);

  /* Other system calls like socket() */

  if (bind(s, (struct sockaddr *)&sa, 
        sizeof(struct sockaddr_in)) < 0) { 
    /* Perform cleanup */  
  }

  /* Return */  
}

int main(void) {
  int s = establish();

  /* Drop privileges permanently */
  if (setuid(getuid()) == -1) {   
     /*  Handle the error  */
  }

  if (setuid(0) != -1) {
    /* Privileges can be restored, handle error */
  }

  /* Block with accept() until a client connects */
      
  switch (fork()) {
     case -1: /* Error, clean up and quit */
     case  0: /* Close all open file descriptors
               * This is the child, handle the client 
               */
     default: /* This is the parent, continue blocking */
  }
}

Risk Assessment

Failure to follow the principle of least privilege may leave the program susceptible to a wide range of attacks that may result in full system compromise. Privilege escalation is possible in the worst case.

...

Wiki Markup
\[[CWE - 272|AA. C References#CWE - 272]\] [Least Privilege Violation | http://cwe.mitre.org/data/definitions/272.html]
\[[DHS 0506|AA. C References#DHS 0506]\] [Least Privilege | https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html]
\[[Saltzer 74|AA. C References#Saltzer 74]\] 
\[[Saltzer 75|AA. C References#Saltzer 75]\]
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 7.4, "Minimize Privileges"| http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]

...