SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 43

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ffcccc
langc
int establish(void) {
  struct sockaddr_in sa; /* listening socket's address */
  int s; /* listening socket */

  /*  Fill up the structure with address and port number  */

  sa.sin_port = htons(portnum);

  /*  Other system calls like socket()  */

  if (bind(s, (struct sockaddr *)&sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */
  }

  /* Return */
}

int main(void) {
   int s = establish();

  /*  Block with accept() until a client connects  */

   switch (fork()) {
      case -1 :  /* Error, clean up and quit */
      case  0 :  /* This is the child, handle the client */
      default :  /* This is the parent, continue blocking */
  }
  return }0;
}

If a vulnerability is exploited in the main body of the program that allows an attacker to execute arbitrary code, this malicious code will run with elevated privileges.

...

Code Block
bgColor#ccccff
langc
/*  Code with elevated privileges  */

int establish(void) {
  struct sockaddr_in sa; /* listening socket's address */
  int s; /* listening socket */

  /* Fill up the structure with address and port number */

  sa.sin_port = htons(portnum);

  /* Other system calls like socket() */

  if (bind(s, (struct sockaddr *)&sa,
        sizeof(struct sockaddr_in)) < 0) {
    /* Perform cleanup */
  }

  /* Return */
}

int main(void) {
  int s = establish();

  /* Drop privileges permanently */
  if (setuid(getuid()) == -1) {
     /*  Handle the error  */
  }

  if (setuid(0) != -1) {
    /* Privileges can be restored, handle error */
  }

  /* Block with accept() until a client connects */

  switch (fork()) {
     case -1: /* Error, clean up and quit */
     case  0: /* Close all open file descriptors
               * This is the child, handle the client
               */
     default: /* This is the parent, continue blocking */
  }
  return 0;
}

Risk Assessment

Failure to follow the principle of least privilege may allow exploits to execute with elevated privileges.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

POS02-C

High

high

Likely

likely

No

high

No

P9

L2

Automated Detection

Tool

Version

Checker

Description

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1606
C1607
C1608


Klocwork
Include Page
Klocwork_V
Klocwork_V
SV.USAGERULES.PERMISSIONS

Related Vulnerabilities

CVE-2009-2031 results from a violation of this recommendation. OpenSolaris, in smbfs snv_84 through snv_110, sets permissions based on mount-point options and not actual user information (obtained from the getuid() and getgid() functions). An attacker can exploit this to achieve higher permissions. Also, in a certain initialization mode, the code grants read, write, and execute permissions to users other than the owner, which can be exploited to make files world readable [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC TR 24772Adherence to Least Privilege [XYN]
MITRE CWECWE-250, Execution with unnecessary privileges
CWE-272, Least privilege violation

Bibliography

[DHS 2006]Least Privilege
[Saltzer 1974]
 

[Saltzer 1975]
 

[Wheeler 2003]Section 7.4, "Minimize Privileges"
[xorl 2009]"OpenSolaris CIFS/SMB Invalid File Flags"

...


...

Image Modified Image Modified Image Modified