1.\" $NetBSD: setuid.7,v 1.1 2003/02/17 10:30:34 wiz Exp $ 2.\" 3.\" Copyright (c) 2003 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Henry Spencer <henry@spsystems.net>. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of The NetBSD Foundation nor the names of its 18.\" contributors may be used to endorse or promote products derived 19.\" from this software without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 22.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 23.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 25.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 28.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 29.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 30.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31.\" POSSIBILITY OF SUCH DAMAGE. 32.\" 33.Dd February 10, 2003 34.Os 35.Dt SETUID 7 36.Sh NAME 37.Nm setuid 38.Nd checklist for security of setuid programs 39.Sh DESCRIPTION 40.Em Please note : 41This manual page was written long ago, and is in need of updating to 42match today's systems. 43We think it is valuable enough to include, even though parts of it 44are outdated. 45A carefully-researched updated version 46would be very useful, if anyone is feeling enthusiastic... 47.Pp 48Writing a secure setuid (or setgid) program is tricky. 49There are a number of possible ways of subverting such a program. 50The most conspicuous security holes occur when a setuid program is 51not sufficiently careful to avoid giving away access to resources 52it legitimately has the use of. 53Most of the other attacks are basically a matter of altering the program's 54environment in unexpected ways and hoping it will fail in some 55security-breaching manner. 56There are generally three categories of environment manipulation: 57supplying a legal but unexpected environment that may cause the 58program to directly do something insecure, 59arranging for error conditions that the program may not handle correctly, 60and the specialized subcategory of giving the program inadequate 61resources in hopes that it won't respond properly. 62.Pp 63The following are general considerations of security when writing 64a setuid program. 65.Bl -bullet 66.It 67The program should run with the weakest userid possible, preferably 68one used only by itself. 69A security hole in a setuid program running with a highly-privileged 70userid can compromise an entire system. 71Security-critical programs like 72.Xr passwd 1 73should always have private userids, to minimize possible damage 74from penetrations elsewhere. 75.It 76The result of 77.Xr getlogin 2 78or 79.Xr ttyname 3 80may be wrong if the descriptors have been meddled with. 81There is 82.Em no 83foolproof way to determine the controlling terminal 84or the login name (as opposed to uid) on V7. 85.It 86On some systems, the setuid bit may not be honored if 87the program is run by root, 88so the program may find itself running as root. 89.It 90Programs that attempt to use 91.Xr creat 3 92for locking can foul up when run by root; 93use of 94.Xr link 2 95is preferred when implementing locking. 96Using 97.Xr chmod 2 98for locking is an obvious disaster. 99.It 100Breaking an existing lock is very dangerous; the breakdown of a locking 101protocol may be symptomatic of far worse problems. 102Doing so on the basis of the lock being 103.Sq old 104is sometimes necessary, 105but programs can run for surprising lengths of time on heavily-loaded 106systems. 107.It 108Care must be taken that user requests for I/O are checked for 109permissions using the user's permissions, not the program's. 110Use of 111.Xr access 2 112is recommended. 113.It 114Programs executed at user request (e.g. shell escapes) must 115not receive the setuid program's permissions; 116use of daughter processes and 117.Dq setuid(getuid()) 118plus 119.Dq setgid(getgid()) 120after 121.Xr fork 2 122but before 123.Xr exec 3 124is vital. 125.It 126Similarly, programs executed at user request must not receive other 127sensitive resources, notably file descriptors. 128.\" Use of 129.\" .Xr closeall 3 130.\" or close-on-exec arrangements, 131.\" on systems which have them, 132.\" is recommended. 133.Pp 134Programs activated by one user but handling traffic on behalf of 135others (e.g. daemons) should avoid doing 136.Dq setuid(getuid()) 137or 138.Dq setgid(getgid()) , 139since the original invoker's identity is almost certainly inappropriate. 140On systems which permit it, use of 141.Dq setuid(geteuid()) 142and 143.Dq setgid(getegid()) 144is recommended when performing work on behalf of the system as 145opposed to a specific user. 146.It 147There are inherent permission problems when a setuid program executes 148another setuid program, 149since the permissions are not additive. 150Care should be taken that created files are not owned by the wrong person. 151Use of 152.Dq setuid(geteuid()) 153and its gid counterpart can help, if the system allows them. 154.It 155Care should be taken that newly-created files do not have the wrong 156permission or ownership even momentarily. 157Permissions should be arranged by using 158.Xr umask 2 159in advance, rather than by creating the file wide-open and then using 160.Xr chmod 2 . 161Ownership can get sticky due to the limitations of the setuid concept, 162although using a daughter process connected by a pipe can help. 163.It 164Setuid programs should be especially careful about error checking, 165and the normal response to a strange situation should be termination, 166rather than an attempt to carry on. 167.El 168.Pp 169The following are ways in which the program may be induced to carelessly 170give away its special privileges. 171.Bl -bullet 172.It 173The directory the program is started in, or directories it may 174plausibly 175.Xr chdir 2 176to, may contain programs with the same names as system programs, 177placed there in hopes that the program will activate a shell with 178a permissive 179.Ev PATH 180setting. 181.Ev PATH 182should 183.Em always 184be standardized before invoking a shell 185(either directly or via 186.Xr popen 3 187or 188.Xr execvp 3 189or 190.Xr execlp 3 ) . 191.It 192Similarly, a bizarre 193.Ev IFS 194setting may alter the interpretation of a shell command in really 195strange ways, possibly causing a user-supplied program to be invoked. 196.Ev IFS 197too should always be standardized before invoking a shell. 198.It 199Environment variables in general cannot be trusted. 200Their contents should never be taken for granted. 201.It 202Setuid shell files (on systems which implement such) simply cannot 203cope adequately with some of these problems. 204They also have some nasty problems like trying to run a 205.Pa \&.profile 206when run under a suitable name. 207They are terminally insecure, and must be avoided. 208.It 209Relying on the contents of files placed in publically-writable 210directories, such as 211.Pa /tmp , 212is a nearly-incurable security problem. 213Setuid programs should avoid using 214.Pa /tmp 215entirely, if humanly possible. 216The sticky-directories modification (sticky bit on for a directory means 217only owner of a file can remove it) helps, 218but is not a complete solution. 219.It 220A related problem is that 221spool directories, holding information that the program will trust 222later, must never be publically writable even if the files in the 223directory are protected. 224Among other sinister manipulations that can be performed, note that 225on many Unixes, a core dump of a setuid program is owned 226by the program's owner and not by the user running it. 227.El 228.Pp 229The following are unusual but possible error conditions that the 230program should cope with properly (resource-exhaustion questions 231are considered separately, see below). 232.Bl -bullet 233.It 234The value of 235.Ar argc 236might be 0. 237.It 238The setting of the 239.Xr umask 2 240might not be sensible. 241In any case, it should be standardized when creating files 242not intended to be owned by the user. 243.It 244One or more of the standard descriptors might be closed, so that 245an opened file might get (say) descriptor 1, causing chaos if the 246program tries to do a 247.Xr printf 3 . 248.It 249The current directory (or any of its parents) 250may be unreadable and unsearchable. 251On many systems 252.Xr pwd 1 253does not run setuid-root, 254so it can fail under such conditions. 255.It 256Descriptors shared by other processes (i.e., any that are open 257on startup) may be manipulated in strange ways by said processes. 258.It 259The standard descriptors may refer to a terminal which has a bizarre 260mode setting, or which cannot be opened again, 261or which gives end-of-file on any read attempt, or which cannot 262be read or written successfully. 263.It 264The process may be hit by interrupt, quit, hangup, or broken-pipe signals, 265singly or in fast succession. 266The user may deliberately exploit the race conditions inherent 267in catching signals; 268ignoring signals is safe, but catching them is not. 269.It 270Although non-keyboard signals cannot be sent by ordinary users in V7, 271they may perhaps be sent by the system authorities (e.g. to 272indicate that the system is about to shut down), 273so the possibility cannot be ignored. 274.It 275On some systems there may be an 276.Xr alarm 3 277signal pending on startup. 278.It 279The program may have children it did not create. 280This is normal when the process is part of a pipeline. 281.It 282In some non-V7 systems, users can change the ownerships of their files. 283Setuid programs should avoid trusting the owner identification of a file. 284.It 285User-supplied arguments and input data 286.Em must 287be checked meticulously. 288Overly-long input stored in an array without proper bound checking 289can easily breach security. 290When software depends on a file being in a specific format, user-supplied 291data should never be inserted into the file without being checked first. 292Meticulous checking includes allowing for the possibility of non-ASCII 293characters. 294.It 295Temporary files left in public directories like 296.Pa /tmp 297might vanish at inconvenient times. 298.El 299.Pp 300The following are resource-exhaustion possibilities that the 301program should respond properly to. 302.Bl -bullet 303.It 304The user might have used up all of his allowed processes, so 305any attempt to create a new one (via 306.Xr fork 2 307or 308.Xr popen 3 ) 309will fail. 310.It 311There might be many files open, exhausting the supply of descriptors. 312.\" Running 313.\" .Xr closeall 3 , 314.\" on systems which have it, 315.\" is recommended. 316.It 317There might be many arguments. 318.It 319The arguments and the environment together might occupy a great deal 320of space. 321.El 322.Pp 323Systems which impose other resource limitations can open setuid 324programs to similar resource-exhaustion attacks. 325.Pp 326Setuid programs which execute ordinary programs without reducing 327authority pass all the above problems on to such unprepared children. 328Standardizing the execution environment is only a partial solution. 329.\" .Sh SEE ALSO 330.\" .Xr closeall 3 331.Sh HISTORY 332Written by Henry Spencer, and based on additional outside contributions. 333.Sh AUTHORS 334.An Henry Spencer Aq henry@spsystems.net 335.Sh BUGS 336The list really is rather long... 337and probably incomplete. 338