DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Guidelines for writing trusted software

Privilege and special access

There are two forms of special access in UNIX System V. The first is the access granted by the set-id feature, and the second is privilege. In the past these have been bound together through the root effective user identity, and they continue to be bound in superuser-based versions of UNIX System V.

Set-id commands

Commands that use the set-id feature to obtain access to files not otherwise available to an invoking user must carefully control not only their own use of these access permissions, but how these permissions are granted to other commands. There is always the possibility of a Trojan Horse when a command executes another command so care must be taken (see ``Executing other commands'') In this section, the issue is incorrect use of special access rights. In general, the best protection against either incorrect use or a Trojan Horse is to reset the effective user and group identity immediately on entry to a command and only use the special identities where they are explicitly needed. The code excerpt in ``Correct regulation of access in C programs'' illustrates the procedure.

   static  uid_t	eff_uid, real_uid;
   static  uid_t	eff_gid, real_gid;
           .
           .
           .
   main(argc, argv)
   int     argc;
   char    *argv[];
   {
           /*Variable declarations*/
           eff_uid = geteuid();
           eff_gid = getegid();
           real_uid = getuid();
           real_gid = getgid();
           if(seteuid(real_uid) < 0){  /*Set the effective UID to the real*/
                   error("Cannot reset UID."); /*Report error and exit*/
           }
           if(setegid(real_gid) < 0){  /*Set the effective GID to the real*/
                   error("Cannot reset GID."); /*Report error and exit*/
           }
                 .
                 .
                 .
           if(setegid(eff_gid) < 0){            /*Assert the effective GID*/
                   error("Cannot assert GID.");/*Report error and exit*/
           }
           fd = open("/etc/security_file", O_RDWR);
           if(setegid(real_gid) < 0){  /*Set the effective GID to the real*/
                   cleanup();                  /*Restore consistency*/
                   error("Cannot reset GID."); /*Report error and exit*/
           }
           if(fd < 0){
                   error("Cannot open file."); /*Report error and exit*/
           }
           /*Process data*/
                 .
                 .
                 .
           close(fd);
   }

Correct regulation of access in C programs


Next topic: Privilege and special access in shared private routines
Previous topic: Parameter and process attribute checking

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 27 April 2004