ABSTRACT
We revisit the setuid family of calls for privilege management that is implemented in several widely-used operating systems. Three of the four commonly used calls in the family are standardized by POSIX. We investigate the current status of setuid, and in the process, challenge some assertions in prior work. We address three sets of questions with regards to the setuid family. (1) Is the POSIX standard indeed broken as prior work suggests? (2) Are implementations POSIX-compliant as claimed? (3) Are the wrapper functions that prior work proposes to circumvent issues with setuid calls correct and usable? Towards (1), we express the standards in a precise syntax that allows us to assess whether they are unambiguous, logically consistent descriptions of well-formed functions. We have discovered that two of the three functions that are standardized fit these criteria, thereby challenging assertions in prior work regarding the quality of the standard. In cases wherein the standard is broken, we give a clear characterization, and suggest that the standard can be fixed easily, but at the cost of backwards-compatibility. Towards (2), we perform a state-space enumeration as in prior work, report on our discoveries, and discuss the implications of non-conformance and differences in implementation. Towards (3), we discuss some issues that we have discovered with prior wrappers. We then propose a new suite of wrapper functions which are designed with a different mindset from prior work, and provide both stronger guarantees with respect to atomicity and a clearer semantics for permanent and temporary changes in process identity. With a fresh approach, our work is a contribution to a well-established approach to privilege management.
- dijkstra_shortest_paths. http://www.boost.org/doc/libs/1_55_0/libs/graph/doc/dijkstra_shortest_paths.html. boost C+ libraries. Last accessed: Aug. 14, 2014.Google Scholar
- LiCo - The New LinuxCounter Project. http://linuxcounter.net/. Last accessed: Nov. 12, 2013.Google Scholar
- The Austin Common Standards Revision Group. http://www.opengroup.org/austin/. Last accessed: Aug. 14, 2014.Google Scholar
- getresgid, getresuid, setresgid, setresuid -- get or set real, effective and saved user or group ID. FreeBSD System Calls Manual, Apr. 2001.Google Scholar
- setresuid, setresgid - set real, effective and saved user or group ID. Linux Programmer's Manual, July 2007.Google Scholar
- Capabilities - overview of Linux capabilities. Linux Programmer's Manual, Aug. 2009.Google Scholar
- getresgid, getresuid, setresgid, setresuid - get or set real, effective and saved user or group ID. OpenBSD Programmer's Manual, Aug. 2013.Google Scholar
- A. N. M. Abdullah, B. Akbarpour, and S. Tahar. Error Analysis and Verification of an IEEE 802.11 OFDM Modem using Theorem Proving. In Proceedings of the First Workshop on Formal Methods for Wireless Systems (FMWS 2008), pages 3--30, 2009. Google ScholarDigital Library
- M. Bishop. How to write a setuid program. USENIX ;login:, 12(1), Jan. 1987.Google Scholar
- M. Bishop. Computer Security -- Art and Science. Addison-Wesley, 2003.Google Scholar
- CERT. POS37-C. Ensure that privilege relinquishment is successful. https://www.securecoding.cert.org/confluence/display/seccode/POS37-C.Ensure+that+privilege relinquishment+is+successful, June 2013.Google Scholar
- H. Chen, D. Wagner, and D. Dean. Setuid Demystified. In Proceedings of the 11th USENIX Security Symposium, pages 171--190, Aug. 2002. Google ScholarDigital Library
- D. Dean and A. J. Hu. Fixing Races for Fun and Profit: How to Use access(2). In Proceedings of the 13th USENIX Security Symposium, pages 195--206, Aug. 2004. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.Google Scholar
- IEEE and The Open Group. POSIX.1--2008, 2013. Available from http://pubs.opengroup.org/onlinepubs/9699919799/.Google Scholar
- B. Jain, C.-C. Tsai, J. John, and D. E. Porter. Practical Techniques to Obviate Setuid-to-root Binaries. In Proceedings of the Ninth European Conference on Computer Systems, EuroSys'14, pages 8:1--8:14, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- D. M. Ritchie. Protection of data file contents. US Patent 4135240, Jan. 1979.Google Scholar
- M. S. Dittmer and M. V. Tripunitara. unix-process-identity. https://github.com/mdittmer/unix-process-identity, 2014.Google Scholar
- A. Souari, S. Tahar, and A. Gawanmeh. Formal error analysis and verification of a frequency domain equalizer. In IEEE 10th International New Circuits and Systems Conference (NEWCAS), pages 189--192, 2012.Google ScholarCross Ref
- D. Tsafrir, D. D. Silva, and D. Wagner. Change Process Identity. Available from https://code.google.com/p/change-process-identity/. Last accessed May 2014.Google Scholar
- D. Tsafrir, D. D. Silva, and D. Wagner. The Murky Issue of Changing Process Identity: Revising "Setuid Demystified". USENIX ;login:, 33(3), June 2008.Google Scholar
Index Terms
- The UNIX Process Identity Crisis: A Standards-Driven Approach to Setuid
Recommendations
Executable formal semantics for the POSIX shell
The POSIX shell is a widely deployed, powerful tool for managing computer systems. The shell is the expert’s control panel, a necessary tool for configuring, compiling, installing, maintaining, and deploying systems. Even though it is powerful, critical ...
Porting Multimedia Applications to the Open System Environment
To migrate DOS-based courseware to the Open System Environment (OSE), process creation and communication in Posix, a portable operating-system interface, were merged with a multilevel client-server architecture. This helped identify some problems that ...
Comments