SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 26

changes.mady.by.user Steve Christey

Saved on

compared with

New Version 27

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
POSIX defines {{setgid()}} to have the following behaviourbehavior \[[Open Group 04|AA. C References#Open Group 04]\]:

...

This noncompliant code example drops privileges to those of the real user and similarly also accounts for dropping drops the group privileges. However, the specified order is incorrect because the call to setuid() will leave the effective user ID as non-zero. The setgid() system call in the next line should function must be run with superuser privileges , but this the call fails to behave as expected because to setuid() leaves the effective user ID is no longer that of the superuser (now non-zero after the privilege drop in the previous line). In effect, if another flaw that allows execution of a setegid(0) or a setregid(-1,0) is found in the program, the as nonzero. As a result, if a vulnerability is discovered in the program that allows for the execution of arbitrary code, an attacker can regain the original group privileges, because setgid(getgid()) tends to leave the saved set-group-ID intact under the conditions discussed.

Code Block
bgColor#ffcccc
/* Drop superuser privileges in incorrect order */

if (setuid(getuid()) == -1) {
  /* handle error condition */
}
if (setgid(getgid()) == -1) {
  /* handle error condition */
}

/* It is still possible to regain group privileges due to
 * incorrect relinquishment order */

...

Code Block
bgColor#ccccff
/*  Drop superuser privileges in correct order */

if (setgid(getgid()) == -1) {
  /* handle error condition */
}
if (setuid(getuid()) == -1) {
  /* handle error condition */
}

/*
 *  Not possible to regain group privileges due to correct
 * relinquishment order  
 */

Risk Assessment

This rule captures avoidable mistakes that may otherwise lead to a false sense of code security and Failing to observe the correct revocation order while relinquishing privileges can result in unintended privilege escalation.

...

Wiki Markup
\[[Chen 02|AA. C References#Chen 02]\] "Setuid Demystified"
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 9, "UNIX I: Privileges and Files"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYO Privilege Sandbox Issues"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 696|http://cwe.mitre.org/data/definitions/696.html], "Incorrect Behavior Order"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{setuid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setuid.html], and [{{setgid()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setgid.html]

...