SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 42

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 43

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
POSIX defines {{setgid()}} to have the following behavior \[[Open Group 042004|AA. Bibliography#Open Group 04]\]:

...

This noncompliant code example drops privileges to those of the real user and similarly drops the group privileges. However, the order is incorrect because the setgid() function must be run with superuser privileges, but the call to setuid() leaves the effective user ID as nonzero. As a result, if a vulnerability is discovered in the program that allows for the execution of arbitrary code, an attacker can regain the original group privileges.

...

Under normal circumstances setuid() and related calls do not alter the supplementary group IDs. However, a setuid-root program can alter its supplementary group IDs and then relinquish root privileges, in which case it maintains the supplementary group IDs , but lacks the privilege necessary to relinquish them. Consequently, it is recommended that a program relinquish supplementary group IDs immediately before relinquishing root privileges. The following code defines a set_sups() function that will set the supplementary group IDs to a specific array on systems that support the setgroups() function.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS36-C

high

probable

medium

P12

L1

Automatic Detection

Tool

Version

Checker

Description

Section

Compass/ROSE

 

 

Section

can detect some violations of this rule. In particular, it warns when calls to setgid() are immediately preceded by a call to setuid()

...

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

SV.FIU.PERMISSIONS

...


SV.USAGERULES.PERMISSIONS

...

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC TR 24772 "XYO Privilege Sandbox Issues"

MITRE CWE: CWE-250, "Execution with Unnecessary Privileges"

MITRE CWE: CWE-696, "Incorrect Behavior Order"

Bibliography

Wiki Markup
\[[Chen 022002|AA. Bibliography#Chen 02]\] "Setuid Demystified"
\[[Dowd 062006|AA. Bibliography#Dowd 06]\] Chapter 9, "UNIX I: Privileges and Files"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYO Privilege Sandbox Issues"
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 250|http://cwe.mitre.org/data/definitions/250.html], "Execution with Unnecessary Privileges," [CWE ID 696|http://cwe.mitre.org/data/definitions/696.html], "Incorrect Behavior Order"
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] \[[{{setuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setuid.html]\], and \[[{{setgid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setgid.html]\]
\[[Tsafrir 082008|AA. Bibliography#Tsafrir 08]\] "The Murky Issue of Changing Process Identity: Revising 'Setuid Demystified'"

...