Shu-Yu Fu, profile picture
Uploaded byShu-Yu Fu
466 views

Tlpi chapter 38 writing secure privileged programs

This document discusses guidelines for securely writing privileged programs. It recommends operating with least privilege by dropping privileges when they are not needed and reacquiring them only as required. It also recommends confining the process using capabilities or chroot jails, being careful of signals and race conditions, avoiding buffer overflows, and checking return values of system calls. The overall aim is to minimize the chances of a privileged program being subverted and to minimize potential damage if subversion occurs.

Embed presentation

TLPI - Chapter 38 Writing Secure Privileged Programs Shu-Yu Fu (shuyufu@gmail.com)
In This Chapter We discuss a set of recommended practices for secure programming, and describes various pitfalls that should be avoided when writing privileged programs.
Privileged Programs ● have access to features and resources that are not available to ordinary users. ● was started under a privileged user ID. ● has its set-user-ID or set-group-ID permission bit set. ○ When a set-user-id (set-group-ID) program is execed, it changes the effective user (group) ID of the process to be the same as the owner (group) of the program file.
Is a Set-User-ID or Set-Group-ID Program Required? ● Avoid writing them whenever possible. ● Is there an alternative way? ● Isolate the functionality that needs privilege into a separate program. ● It isn't always necessary for a set-user-ID program to give a process root credentials. ● A dedicated group account (group ID) for the program.
Operate with Least Privilege ● The saved set-user-ID facility was designed for this purpose. uid_t orig_euid; orig_euid = geteuid(); /* Drop privileges */ if (seteuid(getuid()) == -1) errExit("seteuid"); /* Do unprivileged work*/ /* Hold privileges only while they are required. */ /* Reacquire privileges */ if (seteuid(orig_euid) == -1) errExit("seteuid"); /* Do privileged work*/ /* We must gain privilege prior to dropping it permanently */ /* Drop privileges permanently when they will never agin be required. */ /* Use setuid() for set-user-root and setreuid() (or setresuid()) for set-user-ID program */ if (setuid(getuid() == -1) errExit("setuid");
Operate with Least Privilege (cont.) ● [Tsafrir et al., 2008] recommends that applications should use system specific nonstandard system calls for changing process credentials. ● Not only check that a credential-changing system call has succeeded, but also to verify that the change occurred as expected. ● We should drop/raise the privileged effective user ID last/first when dropping/raising privileged IDs.
Be Careful When Executing a Program ● Drop privileges permanently before execing another program. ● Avoid executing a shell (or other interpreter) with privileges. ● Close all unnecessary file descriptors before an exec().
Avoid Exposing Sensitive Information ● When a program reads sensitive information, it should perform whatever processing is required, and then immediately erase the information from memory. ○ The virtual memory page may be swapped out, and could then be read from the swap area by a privileged program. ○ If the process receives a signal that causes it to produce a core dump file, then that file may be read to obtain the information.
Confine the Process ● Consider using capabilities The Linux capabilities scheme divides the traditional all-or-nothing UNIX privilege scheme into distinct units called capabilities. ● Consider using a chroot jail to limit the set of directories and files that a program may access. However, a chroot jail in insufficient to confine a set-user-ID-root program.
Beware of Signals and Race Conditions ● We need to consider the race conditions that can occur if a signal is delivered at any point in the execution of the program. ○ Time-of-check, time-of-use race condition.
Pitfalls When Performing File Operations and File I/O ● The process umask should be set to a value that ensures that the process never creates publicly writable files. ● Use of seteuid() or setreuid() may required in order ensure that a newly created file doesn't belong to the wrong user. ● Checks on file attributes should be performed on open file descriptors. (Avoid time-of-use, time-of-check problem) ● If a program must ensure that it is the creator of a file, then the O_EXCL flag should be used when calling open(). ● A privileged program should avoid creating or relying on files in publicly writable directories.
Don't Trust Inputs or the Environment ● Don't trust the environment list. ○ Especially PATH and IFS. ● Handle untrusted user inputs defensively. ○ User-created files, command-line arguments, interactive inputs, CGI inputs, email messages, environment variables, IPC (FIFOs, shared memory, and so on) accessible by untrusted users, and network packets. ● Avoid unreliable assumptions about the process's run-time environment.
Beware of Buffer Overruns ● Never use gets(), and employ functions such as scanf(), sprintf(), strcpy(), and strcat() with caution. ○ stack crashing (a.k.a. stack smashing) ■ address-space-randomization ■ NX (no execute) ● Alternatives, snprintf(), strncpy(), and strncat(). ○ The caller must check if truncation occurred. ○ Using strncpy() can carry a performance impact. ○ If the maximum size value given to strncpy() is not long enough to permit the inclusion of the terminating null character, the target string is not null-terminated.
Beware of Denial-of-Service Attacks ● Denial-of-service attacks attempt to make a service unavailable to legitimate clients. ○ A server should be programmed to rigorously check its input and avoid buffer overruns. ○ The Server should perform load throttling. ○ A server should employ timeouts for communication with a client. SYN flood ○ In the event of an overload, the server should log suitable messages. However, logging should be throttled. ○ The server should be programmed so that it doesn't crash in the face of an unexpected load. ○ Data structures should be designed to avoid algorithmic- complexity attacks. ○ Spoofing attack
Check Return Statuses and Fail Safely ● A program should always check to see whether system calls and library functions succeed, and whether they return expected values. ● If a privileged program encounters an unexpected situation, then the appropriate behavior is usually either to terminate or, in the case of a server, to drop the client request.
Summary In this chapter, we presented a set of guidelines for writing privileged programs. The aim of these guidelines is twofold: to minimize the chances of a privileged program being subverted, and to minimize the damage that can be done in the event that a privileged program is subverted.
Reference ● Oracle LinuxSecurity Guide for Release 6, Chapter 4. Security Considerations for Developers ● Secure Programming for Linux and Unix HOWTO

More Related Content

PDF
CSI-503 - 3. Process Scheduling
byghayour abbas
 
PPT
Concurrent process
byYogendra Rwl
 
PPTX
Concurrency
byrizwanaabassi
 
PDF
TLPI Chapter 14 File Systems
byShu-Yu Fu
 
PDF
TLPI - 6 Process
byShu-Yu Fu
 
PDF
TLPI - Chapter 44 Pipe and Fifos
byShu-Yu Fu
 
PDF
程式設計師的自我修養 Chapter 5
byShu-Yu Fu
 
PDF
程式設計師的自我修養 Chapter 1
byShu-Yu Fu
 
CSI-503 - 3. Process Scheduling
byghayour abbas
 
Concurrent process
byYogendra Rwl
 
Concurrency
byrizwanaabassi
 
TLPI Chapter 14 File Systems
byShu-Yu Fu
 
TLPI - 6 Process
byShu-Yu Fu
 
TLPI - Chapter 44 Pipe and Fifos
byShu-Yu Fu
 
程式設計師的自我修養 Chapter 5
byShu-Yu Fu
 
程式設計師的自我修養 Chapter 1
byShu-Yu Fu
 

Similar to Tlpi chapter 38 writing secure privileged programs

PDF
SECURITY PRINCIPLES AND OS SECURITY IN SIE
bymonishap45
 
PPT
L27
byNathannyabvureMapisa
 
PDF
<marquee>html title testfsdjk34254</marquee>
byslideshareperson2
 
PDF
" onclick="alert(1)
byslideshareperson2
 
PDF
Secure codingguide
byDavid Kwak
 
PPT
demo1
bygoogli
 
PPT
Web security programming_ii
bygoogli
 
PPT
Web Security Programming I I
byPavu Jas
 
PPT
Web security programming_ii
bygoogli
 
PDF
Exploitation and distribution of setuid and setgid binaries on Linux systems
byZero Science Lab
 
PPT
OS Security 2009
byDeborah Obasogie
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
PDF
Software Security
byRoman Oliynykov
 
PDF
Chapter 2 program-security
byVamsee Krishna Kiran
 
PPT
access control configurations and principles
byAngieloBecenia1
 
PPTX
Software Security information security
bymubeen arshad
 
PPT
Software security
byRoman Oliynykov
 
PPT
6 buffer overflows
bydrewz lin
 
PDF
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
PPT
OperatingSystem.ppt
byKaivanParikh
 
SECURITY PRINCIPLES AND OS SECURITY IN SIE
bymonishap45
 
L27
byNathannyabvureMapisa
 
<marquee>html title testfsdjk34254</marquee>
byslideshareperson2
 
" onclick="alert(1)
byslideshareperson2
 
Secure codingguide
byDavid Kwak
 
demo1
bygoogli
 
Web security programming_ii
bygoogli
 
Web Security Programming I I
byPavu Jas
 
Web security programming_ii
bygoogli
 
Exploitation and distribution of setuid and setgid binaries on Linux systems
byZero Science Lab
 
OS Security 2009
byDeborah Obasogie
 
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
Software Security
byRoman Oliynykov
 
Chapter 2 program-security
byVamsee Krishna Kiran
 
access control configurations and principles
byAngieloBecenia1
 
Software Security information security
bymubeen arshad
 
Software security
byRoman Oliynykov
 
6 buffer overflows
bydrewz lin
 
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
OperatingSystem.ppt
byKaivanParikh
 

More from Shu-Yu Fu

PDF
團隊之美 第三篇 實踐 (Part 1)
byShu-Yu Fu
 
PDF
團隊之美 第二篇 目標
byShu-Yu Fu
 
PDF
TLPI - 7 Memory Allocation
byShu-Yu Fu
 
PDF
程式設計師的自我修養 Chapter 10 記憶體
byShu-Yu Fu
 
PDF
大家來學GObject
byShu-Yu Fu
 
PDF
程式設計師的自我修養 Chapter 3.4
byShu-Yu Fu
 
PDF
程式設計師的自我修養 Chapter 8
byShu-Yu Fu
 
團隊之美 第三篇 實踐 (Part 1)
byShu-Yu Fu
 
團隊之美 第二篇 目標
byShu-Yu Fu
 
TLPI - 7 Memory Allocation
byShu-Yu Fu
 
程式設計師的自我修養 Chapter 10 記憶體
byShu-Yu Fu
 
大家來學GObject
byShu-Yu Fu
 
程式設計師的自我修養 Chapter 3.4
byShu-Yu Fu
 
程式設計師的自我修養 Chapter 8
byShu-Yu Fu
 

Recently uploaded

PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
DOCX
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
PPTX
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
PDF
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 

Tlpi chapter 38 writing secure privileged programs

  • 1.
    TLPI - Chapter38 Writing Secure Privileged Programs Shu-Yu Fu (shuyufu@gmail.com)
  • 2.
    In This Chapter Wediscuss a set of recommended practices for secure programming, and describes various pitfalls that should be avoided when writing privileged programs.
  • 3.
    Privileged Programs ● haveaccess to features and resources that are not available to ordinary users. ● was started under a privileged user ID. ● has its set-user-ID or set-group-ID permission bit set. ○ When a set-user-id (set-group-ID) program is execed, it changes the effective user (group) ID of the process to be the same as the owner (group) of the program file.
  • 4.
    Is a Set-User-IDor Set-Group-ID Program Required? ● Avoid writing them whenever possible. ● Is there an alternative way? ● Isolate the functionality that needs privilege into a separate program. ● It isn't always necessary for a set-user-ID program to give a process root credentials. ● A dedicated group account (group ID) for the program.
  • 5.
    Operate with LeastPrivilege ● The saved set-user-ID facility was designed for this purpose. uid_t orig_euid; orig_euid = geteuid(); /* Drop privileges */ if (seteuid(getuid()) == -1) errExit("seteuid"); /* Do unprivileged work*/ /* Hold privileges only while they are required. */ /* Reacquire privileges */ if (seteuid(orig_euid) == -1) errExit("seteuid"); /* Do privileged work*/ /* We must gain privilege prior to dropping it permanently */ /* Drop privileges permanently when they will never agin be required. */ /* Use setuid() for set-user-root and setreuid() (or setresuid()) for set-user-ID program */ if (setuid(getuid() == -1) errExit("setuid");
  • 6.
    Operate with LeastPrivilege (cont.) ● [Tsafrir et al., 2008] recommends that applications should use system specific nonstandard system calls for changing process credentials. ● Not only check that a credential-changing system call has succeeded, but also to verify that the change occurred as expected. ● We should drop/raise the privileged effective user ID last/first when dropping/raising privileged IDs.
  • 7.
    Be Careful WhenExecuting a Program ● Drop privileges permanently before execing another program. ● Avoid executing a shell (or other interpreter) with privileges. ● Close all unnecessary file descriptors before an exec().
  • 8.
    Avoid Exposing Sensitive Information ●When a program reads sensitive information, it should perform whatever processing is required, and then immediately erase the information from memory. ○ The virtual memory page may be swapped out, and could then be read from the swap area by a privileged program. ○ If the process receives a signal that causes it to produce a core dump file, then that file may be read to obtain the information.
  • 9.
    Confine the Process ●Consider using capabilities The Linux capabilities scheme divides the traditional all-or-nothing UNIX privilege scheme into distinct units called capabilities. ● Consider using a chroot jail to limit the set of directories and files that a program may access. However, a chroot jail in insufficient to confine a set-user-ID-root program.
  • 10.
    Beware of Signalsand Race Conditions ● We need to consider the race conditions that can occur if a signal is delivered at any point in the execution of the program. ○ Time-of-check, time-of-use race condition.
  • 11.
    Pitfalls When PerformingFile Operations and File I/O ● The process umask should be set to a value that ensures that the process never creates publicly writable files. ● Use of seteuid() or setreuid() may required in order ensure that a newly created file doesn't belong to the wrong user. ● Checks on file attributes should be performed on open file descriptors. (Avoid time-of-use, time-of-check problem) ● If a program must ensure that it is the creator of a file, then the O_EXCL flag should be used when calling open(). ● A privileged program should avoid creating or relying on files in publicly writable directories.
  • 12.
    Don't Trust Inputsor the Environment ● Don't trust the environment list. ○ Especially PATH and IFS. ● Handle untrusted user inputs defensively. ○ User-created files, command-line arguments, interactive inputs, CGI inputs, email messages, environment variables, IPC (FIFOs, shared memory, and so on) accessible by untrusted users, and network packets. ● Avoid unreliable assumptions about the process's run-time environment.
  • 13.
    Beware of BufferOverruns ● Never use gets(), and employ functions such as scanf(), sprintf(), strcpy(), and strcat() with caution. ○ stack crashing (a.k.a. stack smashing) ■ address-space-randomization ■ NX (no execute) ● Alternatives, snprintf(), strncpy(), and strncat(). ○ The caller must check if truncation occurred. ○ Using strncpy() can carry a performance impact. ○ If the maximum size value given to strncpy() is not long enough to permit the inclusion of the terminating null character, the target string is not null-terminated.
  • 14.
    Beware of Denial-of-ServiceAttacks ● Denial-of-service attacks attempt to make a service unavailable to legitimate clients. ○ A server should be programmed to rigorously check its input and avoid buffer overruns. ○ The Server should perform load throttling. ○ A server should employ timeouts for communication with a client. SYN flood ○ In the event of an overload, the server should log suitable messages. However, logging should be throttled. ○ The server should be programmed so that it doesn't crash in the face of an unexpected load. ○ Data structures should be designed to avoid algorithmic- complexity attacks. ○ Spoofing attack
  • 15.
    Check Return Statusesand Fail Safely ● A program should always check to see whether system calls and library functions succeed, and whether they return expected values. ● If a privileged program encounters an unexpected situation, then the appropriate behavior is usually either to terminate or, in the case of a server, to drop the client request.
  • 16.
    Summary In this chapter,we presented a set of guidelines for writing privileged programs. The aim of these guidelines is twofold: to minimize the chances of a privileged program being subverted, and to minimize the damage that can be done in the event that a privileged program is subverted.
  • 17.
    Reference ● Oracle LinuxSecurityGuide for Release 6, Chapter 4. Security Considerations for Developers ● Secure Programming for Linux and Unix HOWTO