SETUID(7) Miscellaneous Information Manual SETUID(7)

NAME

setuidchecklist for security of setuid programs

DESCRIPTION

Please note: This manual page was written long ago, and is in need of updating to match today's systems. We think it is valuable enough to include, even though parts of it are outdated. A carefully-researched updated version would be very useful, if anyone is feeling enthusiastic...

Writing a secure setuid (or setgid) program is tricky. There are a number of possible ways of subverting such a program. The most conspicuous security holes occur when a setuid program is not sufficiently careful to avoid giving away access to resources it legitimately has the use of. Most of the other attacks are basically a matter of altering the program's environment in unexpected ways and hoping it will fail in some security-breaching manner. There are generally three categories of environment manipulation: supplying a legal but unexpected environment that may cause the program to directly do something insecure, arranging for error conditions that the program may not handle correctly, and the specialized subcategory of giving the program inadequate resources in hopes that it won't respond properly.

The following are general considerations of security when writing a setuid program.

The following are ways in which the program may be induced to carelessly give away its special privileges.

The following are unusual but possible error conditions that the program should cope with properly (resource-exhaustion questions are considered separately, see below).

The following are resource-exhaustion possibilities that the program should respond properly to.

Systems which impose other resource limitations can open setuid programs to similar resource-exhaustion attacks.

Setuid programs which execute ordinary programs without reducing authority pass all the above problems on to such unprepared children. Standardizing the execution environment is only a partial solution.

SEE ALSO

passwd(1), pwd(1), access(2), chdir(2), chroot(2), execve(2), fcntl(2), fork(2), getlogin(2), link(2), setegid(2), seteuid(2), setgid(2), setgroups(2), setrlimit(2), setuid(2), sigaction(2), umask(2), alarm(3), creat(3), execvp(3), popen(3), printf(3), ttyname(3)

HISTORY

Written by Henry Spencer, and based on additional outside contributions.

AUTHORS

Henry Spencer <henry@spsystems.net>

BUGS

The list really is rather long... and probably incomplete.
February 26, 2009 NetBSD 6.1