Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupThe principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job \[ [Saltzer 74|AA. C References#Saltzer 74], [Saltzer 75|AA. C References#Saltzer 75]\]. The build security in website \[[DHS 06|AA. C References#DHS 05]\] provides additional definitions.

Programs should execute with the least set of privileges that are necessary for their successful completion. This is also the underlying principle behind assigning minimalistic privileges so that the damage caused due to software defects can be constrained.

1974, Saltzer 1975]. The Build Security In website [DHS 2006] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code.

Noncompliant Code Example

Privileged operations are often required in a program, though Sometimes, certain privileged operations are required in a program, although subsequently, the program might not need to retain the special privileges. For instance, a network program may require superuser privileges to capture raw network packets but will may not ideally use require the same set of privileges for carrying out other tasks such as packet analysis. Dropping or elevating privileges alternately according to program requirements is a good design strategy. Moreover, assigning only the required privileges limits the window of exposure for any privilege escalation exploit to succeed.

...

Consider a custom service that that needs to must bind to a well-known port (below 1024). To avoid prevent malicious entities from hijacking client connections, the kernel imposes a condition such so that only the superuser can use the bind() system call to bind to these ports.

This non-compliant noncompliant code example is configured as setuid-superuser. It calls bind() and later forks out a child to perform the bookkeeping tasks. The program continues to run with superuser privileges even after the bind() operation has been carried outis completed.

Code Block
bgColor#ffcccc
langc


int establish(void) {
  struct sockaddr_in sa;              /*  This will store the listening socket's address  */
  int s;                              /*  This will hold the listening socket  */

  /*  Fill up the structure with address and port number  */

  sa.sin_port = htons(portnum);

  /*  Other system calls like socket()  */

  if (bind(s, (struct sockaddr *) &sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */  
  }  

  /* Return */
}

int main(void) {
   int s = establish();

  /*  Block with accept() until a client connects  */
   
  switch switch(fork()) {
      case -1 :  /* Error, clean up and quit */
      case  0 :  /* This is the child, handle the client */
      default :  /* This is the parent, continue blocking */
   }
}  return 0;
}

A vulnerability (if discovered) If a vulnerability is exploited in the main body of the program will allow that allows an attacker to execute arbitrary code. This , this malicious code will run with elevated privileges.

Compliant Solution

The program must follow the principle of least privilege while carefully separating the binding and bookkeeping tasks. To minimize the chance of a flaw in the program from compromising the superuser-level account, it must should drop superuser privileges as soon as the privileged operations are completed. In the following code shown below, privileges are permanently dropped permanently as soon as the bind() operation is carried out. This solution is in compliance with [FIO42The code also ensures privileges may not be regained after being permanently dropped, as in POS37-C. Ensure files are properly closed when they are no longer needed]that privilege relinquishment is successful.

Code Block
bgColor#ccccff
langc


/*  Code with elevated privileges  */

int establish(void) {
  struct sockaddr_in sa;              /*  This will store the listening socket's address  */
  int s;                              /*  This will hold the listening socket  */

  /* Fill up the structure with address and port number */

  sa.sin_port = htons(portnum);

  /* Other system calls like socket() */

  if (bind(s, (struct sockaddr *) &sa,
        sizeof(struct sockaddr_in)) < 0)  { 
    /* Perform cleanup */  
  }

  /* Return */  
}

int main(void) {
   int s = establish();

  /* Drop privileges permanently */
  if (setuid(getuid()) == -1) {
     /* Drop privileges permanently Handle the error  */
  }

  if (setuid(0) != -1) {
    /*  Handle thePrivileges can be restored, handle error  */
   }

  /* Block with accept() until a client connects */
      
  switch switch(fork()) {
      case -1: /* Error, clean up and quit */
      case  0: /* Close all open file descriptors
                * This is the child, handle the client 
                */
      default: /* This is the parent, continue blocking */
   }
}  return 0;
}

Risk Assessment

Failure to follow the principle of least privilege may leave the program susceptible to a wide range of attacks that may result in full system compromise. Privilege escalation is possible in the worst caseallow exploits to execute with elevated privileges.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

POS02-

A

C

high

High

likely

Likely

high

High

P9

L2

Automated Detection

Tool

Version

Checker

Description

Klocwork
Include Page
Klocwork_V
Klocwork_V
SV.BRM.HKEY_LOCAL_MACHINE
SV.USAGERULES.PERMISSIONS

Related Vulnerabilities

CVE-2009-2031 results from a violation of this recommendation. OpenSolaris, in smbfs snv_84 through snv_110, sets permissions based on mount-point options and not actual user information (obtained from the getuid() and getgid() functions). An attacker can exploit this to achieve higher permissions. Also, in a certain initialization mode, the code grants read, write, and execute permissions to users other than the owner, which can be exploited to make files world readable [xorl 2009].

Search for vulnerabilities resulting from the violation of this recommendation rule on the CERT website.

References

Wiki Markup
\[[CWE - 272|AA. C References#CWE - 272]\] [Least Privilege Violation | http://cwe.mitre.org/data/definitions/272.html]
\[[DHS 05|AA. C References#DHS 05]\] [Least Privilege | https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html]
\[[Saltzer 74|AA. C References#Saltzer 74]\] 
\[[Saltzer 75|AA. C References#Saltzer 75]\]
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 7.4, "Minimize Privileges"| http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html]

Related Guidelines

ISO/IEC TR 24772Adherence to Least Privilege [XYN]
MITRE CWECWE-250, Execution with unnecessary privileges
CWE-272, Least privilege violation

Bibliography


...

Image Added Image Added Image AddedImage Removed      50. POSIX (POS)       CERT C Secure Coding Standard