Page History

...

If the program is run as a setuid root program, over time, the state of the UIDs might look like the following:

Description	Code	EUID	RUID	SSUID
Program startup

	0	User	0
Temporary drop	`seteuid(getuid())`	User	User	0
Restore	`seteuid(0)`	0	User	0
Permanent drop	`setuid(getuid())`	User	User	User
Restore (attacker)	`setuid(0)` (fails)	User	User	User

If the program fails to restore privileges, it will be unable to permanently drop them later:

Description	Code	EUID	RUID	SSUID
program startup

		0	User
Temporary drop	`seteuid(getuid())`	User	User
Restore	`seteuid(0)`	User	User
Permanent drop	`setuid(getuid())`	User	User
Restore (attacker)	`setuid(0)`	0	0

Compliant Solution

This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped [Wheeler 2003]. If the setuid() call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.

...

If privilege relinquishment conditions are left unchecked, any flaw in the program may lead to unintended system compromise corresponding to the more privileged user or group account.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
POS37-C	high	probable	low	P18	L1

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

user_defined

Soundly supported

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-POS37

Helix QAC

Include Page

	Helix QAC_V

Supported, but no explicit checker

	Helix QAC_V

DF4876, DF4877, DF4878

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

SV.

FIU.PROCESS_VARIANTS

USAGERULES.PERMISSIONS

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-POS37-a

Ensure that privilege relinquishment is successful

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule POS37-C

Checks for priviledge drop not verified (rule fully covered)

SV.USAGERULES.PERMISSIONS

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy	Taxonomy item	Relationship
ISO/IEC TR 24772	Privilege Sandbox Issues [XYO]

MITRE CWE

Prior to 2018-01-12: CERT: Unspecified Relationship

CWE 2.11

CWE-250, Execution with unnecessary privileges

CWE-273, Failure to check whether privileges were dropped successfully

2017-07-07: CERT: Exact

Bibliography

[Chen 2002]	"Setuid Demystified"
[Dowd 2006]	Chapter 9, "Unix I: Privileges and Files"
[Open Group 2004]	`setuid()getuid()seteuid()`
[Tsafrir 2008]	"The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"
[Wheeler 2003]	Section 7.4, "Minimize Privileges"

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 68

New Version Current

Key

Compliant Solution

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography