You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 46 Next »

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation, but also by ensuring that privileged blocks contain only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; this increases the potential attack surface exposed to an attacker. Consequently, privileged blocks must not contain superfluous code.

Noncompliant Code Example

This noncompliant code example shows a changePassword() method that attempts to open a password file using a doPrivileged block. The doPrivileged block also contains logic that operates on the file and a superfluous System.loadLibrary() call.

public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
        // Operate on the file ...
        System.loadLibrary("LibName");
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // end of doPrivileged()
}

This violates the principle of least privilege because a caller who does not have the required privileges may also be able to cause the specified library to be loaded.

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block.

public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  });  // end of doPrivileged()
  // Operations on the file using handle f[0]
  // while ensuring that the f[0] reference     
  // remains contained within changePassword()
  System.loadLibrary("LibName");
}

The open FileInputStream f[0] must not allow f[0] to escape out of changePassword() (see SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary).

Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.

Applicability

Failure to follow the principle of least privilege can lead to privilege escalation.

Related Guidelines

ISO/IEC TR 24772:2010

"Privilege Sandbox Issues [XYO]"

MITRE CWE

CWE ID 272, "Least Privilege Violation"

Bibliography

  • No labels