SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 16

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Non-Compliant Code Example

The following This non-compliant code example compiles cleanly on most POSIX based systems, however no explicit checks have been made to ensure that privilege relinquishment is carried out successfullyhas succeeded. This may be dangerous depending on the sequence of the preceding privilege changes.

Code Block
bgColor#ffcccc
/*  Code intended to run with elevated privileges   */

/* Temporarily drop privileges */
if (seteuid(getuid()) != 0) {
  /* Handle error */
}

/*  Code intended to run with lower privileges  */ 

if (need_more_privileges) {
  /* Restore Privilegesprivileges */
  if (seteuid(0) != 0) {
    /* Handle Error */
  }

  /*  Code intended to run with elevated privileges   */
}

/* ... */

/* Permanently drop privileges */
if (setuid(getuid()) != 0) {
  /* Handle Error */
}

/*  Code intended to run with lower privileges  */

If the program is run with the setuid-0 flagas a setuid root program, the state of the UID's over time might be:

Description

Code

EUID

RUID

SSUID

program startup

 

0

user

0

temporary drop

seteuid(getuid())

user

user

0

restore

seteuid(0)

0

user

0

permanent drop

setuid(getuid())

user

user

user

restore (attacker)

setuid(0) (fails)

user

user

user

If , for some reason, the program fails to restore privileges, it will be unable to permanently drop them later:

...

Wiki Markup
This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped \[[Wheeler 03|AA. C References#Wheeler 03]\]. It checks whether superuser privileges were dropped successfully. Note that if If the {{setuid()}} call succeeds after the {{setuid(getuid())}} operation(supposedly) dropping privileges permanently , privileges were not dropped as was originally intended.

Code Block
bgColor#ccccff
/*  Code intended to run with elevated privileges   */

/* TemporaryTemporarily drop Dropprivileges */
if (seteuid(getuid()) != 0) {
  /* Handle Errorerror */
}

/*  Code intended to run with lower privileges  */ 

if (need_more_privileges) {
  /* Restore Privileges */
  if (seteuid(0) != 0) {
    /* Handle Errorerror */
  }

  /*  Code intended to run with elevated privileges   */
}

/* ... */

/* PermanentPermanently drop Dropprivileges */
if (setuid(getuid()) != 0) {
  /* Handle Errorerror */
}

if  (setuid(0) != -1) {
   /* Privileges can be restored, handle error */
}

/*  Code intended to run with lower privileges  */

...