Page History

...

Consider a custom service that must bind to a well-known port (below 1024). To avoid prevent malicious entities from hijacking client connections, the kernel imposes a condition so that only the superuser can use the bind() system call to bind to these ports.

This noncompliant code example is configured as setuid-superuser. It calls bind() and later forks out a child to perform the bookkeeping tasks. The program continues to run with superuser privileges even after the bind() operation has been carried outis completed.

int establish(void) {
  struct sockaddr_in sa; /* listening socket's address */
  int s; /* listening socket */

  /*  Fill up the structure with address and port number  */

  sa.sin_port = htons(portnum);

  /*  Other system calls like socket()  */

  if (bind(s, (struct sockaddr *)&sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */
  }

  /* Return */
}

int main(void) {
   int s = establish();

  /*  Block with accept() until a client connects  */

   switch (fork()) {
      case -1 :  /* Error, clean up and quit */
      case  0 :  /* This is the child, handle the client */
      default :  /* This is the parent, continue blocking */
  }
  return }0;
}

If a vulnerability is exploited in the main body of the program that allows an attacker to execute arbitrary code, this malicious code will run with elevated privileges.

...

The program must follow the principle of least privilege while carefully separating the binding and bookkeeping tasks. To minimize the chance of a flaw in the program from compromising the superuser-level account, it should drop superuser privileges as soon as the privileged operations are completed. In the following code shown below, privileges are permanently dropped as soon as the bind() operation is carried out. The code also ensures privileges may not be regained after being permanently dropped, as in rule POS37-C. Ensure that privilege relinquishment is successful.

/*  Code with elevated privileges  */

int establish(void) {
  struct sockaddr_in sa; /* listening socket's address */
  int s; /* listening socket */

  /* Fill up the structure with address and port number */

  sa.sin_port = htons(portnum);

  /* Other system calls like socket() */

  if (bind(s, (struct sockaddr *)&sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */
  }

  /* Return */
}

int main(void) {
  int s = establish();

  /* Drop privileges permanently */
  if (setuid(getuid()) == -1) {
     /*  Handle the error  */
  }

  if (setuid(0) != -1) {
    /* Privileges can be restored, handle error */
  }

  /* Block with accept() until a client connects */

  switch (fork()) {
     case -1: /* Error, clean up and quit */
     case  0: /* Close all open file descriptors
               * This is the child, handle the client
               */
     default: /* This is the parent, continue blocking */
  }
  return 0;
}

Risk Assessment

Failure to follow the principle of least privilege may allow exploits to execute with elevated privileges.

Automated Detection

Related Vulnerabilities

CVE-2009-2031 results from a violation of this recommendation. OpenSolaris, in smbfs snv_84 through snv_110, sets permissions based on mount-point options and not actual user information (obtained from the getuid() and getgid() functions). An attacker can exploit this to achieve higher permissions. Also, in a certain initialization mode, the code grants read, write, and execute permissions to users other than the owner, which can be exploited to make files world readable [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

...

...

...

...

...

...

Bibliography

...

Image Modified      50. POSIX (POS)      POS03-C. Do not use volatile as a synchronization primitive Image Added Image Added