This recommendation is a defense in depth strategy that aims at isolating a user program or a daemon from the rest of the file system. It is applicable to programs that do not need to continually maintain superuser status. The central idea is to create a jail so that entities that the program does not need to access under normal operation are made invisible. This makes it much harder to abuse a potential flaw that could otherwise lead to unconstrained system compromise. A jail may consist of world viewable programs that require fewer resources to execute than those that possibly exist on that system. Jails are only useful when there is no way to elevate privileges in the event of program failure.
Additionally, care must be taken to ensure that all the required resources (such as libraries, files and so on) are replicated within the jail directory and no reference is made to other parts of the filesystem from within this directory. It is also advisable to administer restrictive read/write permissions on the jail directories and resources based on the program's privilege requirements. Although, creating jails is an effective security measure when used correctly, it is not a surrogate for additional security best practices.
Non-Compliant Code Example
A security flaw exists in the code shown below resulting from the absence of proper canonicalization measures on the file path. This allows an attacker to traverse the filesystem and possibly write to a file of his choice, with the privileges of the vulnerable program. For example, it may be possible to overwrite the password file (such as the /etc/passwd, common to many POSIX based systems) or a device file such as the mouse which in turn can aid further exploitation or cause a denial of service to occur.
/* Program running with elevated privileges where argv[1] is supplied by the user */ FILE *fp = fopen(argv[1],"w"); /* argv[2] is also specified by the user and may be "foo:*:100:200:8A-74(home):/home/foo:/usr/bin/sh"; * or some other specially crafted input */ char x[100]; strncpy(x,argv[2],100); x[100] = '\0'; fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp); /* Write operation to an unintended file like /etc/passwd gets executed */
An attacker can control the value of argv[1] and consequently access any resource on the filesystem.
This non-compliant coding example also violates FIO02-A. Canonicalize path names originating from untrusted sources and FIO03-A. Do not make assumptions about fopen() and file creation.
Compliant Solution
Some Unix based systems (such as OpenBSD) encourage restricting filesystem access by recommending the creation of a chroot() jail. This is achieved by passing a predefined directory name as an argument to chroot(). The call to chroot() requires superuser privileges and thus the program should be set-uid root. However, this call does not 'leave' the process inside the jail directory as one would expect. The chdir() call that follows does just this and is indispensable when access is to be restricted to within the jail boundaries.
Another essential step is to drop superuser privileges permanently after these calls so as to be in agreement with the principle of least privilege. The chroot() system call is not secure against the superuser changing the current root directory (if privileges are not dropped) and may be ineffective if the current working directory is not set to the new root directory immediately following the call to chroot(). Successful jail creation prevents unintentional filesystem access even if an attacker gives malicious input, such as through command line arguments.
/*
* Make sure that the ~/chroot/jail directory exists within the current working directory
* Also assign appropriate permissions to the directory to restrict access
* Close all filesystem descriptors to outside resources lest they escape the jail
*/
if (setuid(0) == -1) {
/* Report that setuid failed and note the errno value */
}
if (chroot("/chroot/jail") == -1) { /* Operation failed, handle error */ }
if (chdir("/") == -1) { /* Operation failed, handle error */ }
/* Drop privileges permanently to those of the file owner */
if (setuid(getuid()) == -1) { /* Operation failed, handle error */ }
/* Perform unprivileged operations */
FILE* fp = fopen(argv[1], "w");
The chdir() system call may be susceptible to a race condition if called before chroot(). This is because an attacker with sufficient privileges can delete the 'jail' directory so that the chdir() operation fails and then recreate it so that chroot() succeeds. Consequently, the program will not start in its sandboxed environment (~/chroot/jail) and will not have its current working directory set to ~/chroot/jail. One mitigation strategy is to incorporate error checking to detect if chdir() failed. A more fool proof method is to use chdir() after chroot() so that it guarantees that the current working directory will be set to the chroot'ed directory, that is the new root.
Risk Assessment
Failing to follow this recommendation, wherever possible, may lead to full-system compromise if a security vulnerability is uncovered in a program or daemon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC16-A |
medium |
probable |
high |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Wheeler 03]] Section 7.4, "Minimize Privileges"
MSC15-A. Do not depend on undefined behavior 13. Miscellaneous (MSC)