You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

In case of set-user-ID and set-group-ID programs, when the user-ID and group-ID are different from those of the user, it is important to drop not only the user level privileges but also the group and supplemental group privileges. While doing so, the order of revocation must be correct.

POSIX defines setgid() to have the following behaviour [[Open Group 04]]

If the process has appropriate privileges, setgid() shall set the real group ID, effective group ID, and the saved set-group-ID of the calling process to gid.

If the process does not have appropriate privileges, but gid is equal to the real group ID or the saved set-group-ID, setgid() shall set the effective group ID to gid; the real group ID and saved set-group-ID shall remain unchanged.

Non-Compliant Code Example

This non-compliant code example drops privileges to those of the real user and similarly also accounts for dropping the group privileges. However, the specified order is incorrect as the call to setuid() will leave the effective UID as non zero. The setgid() system call in the next line should be run with superuser privileges, however, this call fails to behave as expected since the effective user ID is no longer that of the superuser (now non zero after the privilege drop in the previous line). In effect, if another flaw that allows execution of a setegid(0) or a setregid(-1,0) is found in the program, the attacker can regain the original group privileges because setgid(getgid()) tends to leave the saved set-group-ID intact under the conditions discussed.

/* Drop superuser privileges in incorrect order */

setuid(getuid());
setgid(getgid());

/* It is still possible to regain group privileges due to incorrect relinquishment order */ 

Compliant Solution

Relinquish group privileges before taking away the user level privileges so that both operations execute as intended.

/*  Drop superuser privileges in correct order */

setgid(getgid());
setuid(getuid());

/*  Not possible to regain group privileges due to correct relinquishment order  */ 

Risk Assessment

This rule captures avoidable mistakes which may otherwise lead to a false sense of code security and unintended privilege escalation.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS36-C

high

probable

medium

P12

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Chen 02]] Setuid Demystified
[[Dowd 06]] Chapter 9, "Unix I: Privileges and Files"
[[Open Group 04]] setuid(), setgid()

  • No labels