setuid() function has complex semantics and platform-specific behavior [Open Group 2004].
If the process has appropriate privileges,
setuid()shall set the real user ID, effective user ID, and the saved set-user-ID of the calling process to
If the process does not have appropriate privileges, but
uidis equal to the real user ID or the saved set-user-ID,
setuid()shall set the effective user ID to
uid; the real user ID and saved set-user-ID shall remain unchanged.
The meaning of "appropriate privileges" varies from platform to platform. For example, on Solaris, appropriate privileges for
setuid() means that the
PRIV_PROC_SETID privilege is in the effective privilege set of the process. On BSD, it means that the effective user ID (EUID) is zero (that is, the process is running as root) or that
uid=geteuid(). On Linux, it means that the process has
CAP_SETUID capability and that
setuid(geteuid()) will fail if the EUID is not equal to 0, the real user ID (RUID), or the saved set-user ID (SSUID).
Because of this complex behavior, desired privilege drops sometimes may fail. For example, the range of Linux Kernel versions (2.2.0–2.2.15) is vulnerable to an insufficient privilege attack wherein
setuid(getuid() did not drop privileges as expected when the capability bits were set to zero. As a precautionary measure, subtle behavior and error conditions for the targeted implementation must be carefully noted.
Noncompliant Code Example
This noncompliant code example compiles cleanly on most POSIX systems, but no explicit checks are made to ensure that privilege relinquishment has succeeded. This may be dangerous depending on the sequence of the preceding privilege changes.
If the program is run as a setuid root program, over time, the state of the UIDs might look like the following:
If the program fails to restore privileges, it will be unable to permanently drop them later:
This compliant solution was implemented in sendmail, a popular mail transfer agent, to determine if superuser privileges were successfully dropped [Wheeler 2003]. If the
setuid() call succeeds after (supposedly) dropping privileges permanently, then the privileges were not dropped as intended.
A better solution is to ensure that proper privileges exist before attempting to perform a permanent drop:
Supplementary Group IDs
A process may have a number of supplementary group IDs, in addition to its effective group ID, and the supplementary groups can allow privileged access to files. The
getgroups() function returns an array that contains the supplementary group IDs and can also contain the effective group ID. The
setgroups() function can set the supplementary group IDs and can also set the effective group ID on some systems. Using
setgroups() usually requires privileges. Although POSIX defines the
getgroups() function, it does not define
Under normal circumstances,
setuid() and related calls do not alter the supplementary group IDs. However, a setuid-root program can alter its supplementary group IDs and then relinquish root privileges, in which case, it maintains the supplementary group IDs but lacks the privilege necessary to relinquish them. Consequently, it is recommended that a program immediately relinquish supplementary group IDs before relinquishing root privileges.
POS36-C. Observe correct revocation order while relinquishing privileges discusses how to drop supplementary group IDs. To ensure that supplementary group IDs are indeed relinquished, you can use the following
Many systems have nonportable privilege capabilities that, if unchecked, can yield privilege escalation vulnerabilities. The following section describes one such capability.
File System Access Privileges (Linux)
Processes on Linux have two additional values called
fsgid. These values indicate the privileges used when accessing files on the file system. They normally shadow the effective user ID and effective group ID, but the
setfsgid() functions allow them to be changed. Because changes to the
egid normally also apply to
fsgid, a program relinquishing root privileges need not be concerned with setting
fsgid to safe values. However, there has been at least one kernel bug that violated this invariant ([Chen 2002] and [Tsafrir 2008]). Consequently, a prudent program checks that
fsgid have harmless values after relinquishing privileges.
If privilege relinquishment conditions are left unchecked, any flaw in the program may lead to unintended system compromise corresponding to the more privileged user or group account.
|Axivion Bauhaus Suite|
DF4876, DF4877, DF4878
|CERT_C-POS37-a||Ensure that privilege relinquishment is successful|
|CERT C: Rule POS37-C||Checks for priviledge drop not verified (rule fully covered)|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Key here (explains table format and definitions)
|ISO/IEC TR 24772||Privilege Sandbox Issues [XYO]||Prior to 2018-01-12: CERT: Unspecified Relationship|
|CWE 2.11||CWE-273, Failure to check whether privileges were dropped successfully||2017-07-07: CERT: Exact|
|[Chen 2002]||"Setuid Demystified"|
|[Dowd 2006]||Chapter 9, "Unix I: Privileges and Files"|
|[Open Group 2004]|
|[Tsafrir 2008]||"The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"|
|[Wheeler 2003]||Section 7.4, "Minimize Privileges"|