What you can't do before you drop setuid permissions

August 2, 2009

Let us suppose that you have a program that is setuid root but that usually drops its setuid status and reverts to running as the user that ran it. Of course you want to do this as early as possible to reduce the potential security risks, but at the same time you might want do some operations while still root (for reasons of either necessity or convenience in your code structure).

Consider the following tempting sequence, presented in pseudo-code:


Innocently, one would think that this code is harmless and safe. One would be mistaken; this code is wrong and buggy. If the user's home directory is on NFS and has restricted access permissions, the chdir() will fail, because root has less permissions than a normal user when working over NFS.

Now, consider this sequence (and assume that $HOME is secure, since this is just pseudo-code being written for clarity):

open($HOME/.config, "r");

This code is not just buggy, it is a security exposure. It is buggy for the same reason that the first code is (root may not be able to open $HOME/.config, although the user could), and it is a security exposure because the user can make your program open anything on the system with root permissions. Even assuming that there is no way at all to make your program print out any part of the contents of the user's (apparent) configuration file (either correctly formatted or full of syntax errors), there are things that cause side effects when opened and closed.

(And you cannot fix this.)

I don't know what you can safely do before dropping setuid permissions; it's a dangerous and hard problem that I don't know enough about to have an opinion beyond 'as little as possible'. But I do know that you definitely can't do either of these things.

(Now you can probably guess why I was tracing a setuid Linux program, and why I redacted the program name.)

Written on 02 August 2009.
« Using SystemTap to trace the system calls of setuid programs on Linux
Limitations on custom NFS mount authorization on Solaris »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Aug 2 16:00:47 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.