Page History

...

Additionally, care must be taken to ensure that all the required resources (such as libraries, files and so on) are replicated within the jail directory and no reference is made to other parts of the file system from within this directory. It is also advisable to administer restrictive read/write permissions on the jail directories and resources based on the program's privilege requirements. Although, creating jails is an effective security measure when used correctly, it is not a surrogate for compliance with other rules and recommendations in this standard.

...

Noncompliant Code Example

A security flaw exists in the code shown below resulting from the absence of proper canonicalization measures on the file path. This allows an attacker to traverse the file system and possibly write to a file of his choice, with the privileges of the vulnerable program. For example, it may be possible to overwrite the password file (such as the /etc/passwd, common to many POSIX based systems) or a device file such as the mouse which in turn can aid further exploitation or cause a denial of service to occur.

...

An attacker can control the value of {{argv\[1\]}} and consequently access any resource on the file system.

This non-compliant noncompliant code example also violates FIO02-AC. Canonicalize path names originating from untrusted sources and FIO03-C. Do not make assumptions about fopen() and file creation.

Compliant Solution (*NIX)

Some UNIX-based systems (such as OpenBSD) can restrict file system access by creating a {{chroot()}} jail. The {{chroot}} jail requires care to implement securely \[[Wheeler 03|AA. C References#Wheeler 03]\]. This is achieved by passing a predefined directory name as an argument to {{chroot()}}. The call to {{chroot()}} requires superuser privileges. However, this call does not _leave_ the process inside the jail directory as one would expect. The {{chdir()}} call that follows does just this and is indispensable when access is to be restricted to within the jail boundaries.

Another essential step is to drop superuser privileges permanently after these calls (see POS02-AC. Follow the principle of least privilege). The chroot() system call is not secure against the superuser changing the current root directory (if privileges are not dropped) and may be ineffective if the current working directory is not set to the new root directory immediately following the call to chroot(). Successful jail creation prevents unintentional file system access even if an attacker gives malicious input, such as through command line arguments.

...

An alternative sequence is to call chdir("chroot/jail") first and then chroot("."). However, calling chdir("/some/path") then chroot("/some/path") should be avoided as this sequence may be susceptible to a race condition. This is because an attacker with sufficient privileges can arrange for /some/path to refer to different directories in the two system calls. Consequently, the program will not have its current working directory set to the new root directory. Using either chdir("/") after chroot() or chroot(".") after chdir() guarantees that the current working directory will be the same directory as the new root.

Risk Assessment

Failing to follow this recommendation, wherever possible, may lead to full-system compromise if a security vulnerability is uncovered in a program or daemon.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 7.4, "Minimize Privileges"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]

...