1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International
1
Setuid Demystified
Hao Chen David Wagner
UC Berkeley
Drew Dean
SRI International
2
The Setuid API
• User ID model: the basis for access control in Unix
• Each process has three user IDs:– ruid: the real user ID– euid: the effective user ID– suid: the saved user ID
• The setuid API offers these system calls:– setuid, seteuid, setreuid, setresuid
3
The Mystery
• Which user IDs does setuid(x) set? – FreeBSD: always ruid=euid=suid=x– Linux/Solaris:
always euid=x, sometimes ruid=suid=x
• Do these calls always succeed?– setuid ( geteuid ( ) )
• May fail in Linux and Solaris
– seteuid ( geteuid ( ) )• May fail in FreeBSD
– setreuid ( geteuid ( ) , getuid ( ) )• May fail in FreeBSD
4
The Problems
• Semantic mess– Design: confusing, surprising– Portability: semantic differences among OSs
(e.g. Linux, Solaris, FreeBSD)– Documentation: incomplete, inaccurate, or
incorrect
• Reason: historical artifacts• Vulnerabilities
– Sendmail 8.10.1 and 8.12.0, etc.
5
Outline: Demystify the Setuid API
• Identify the precise semantics– Use a formal model– Build the model automatically by state space
exploration
• Check for– Semantic pitfalls– Documentation errors– Inconsistency in OS kernels– Proper use of API calls in programs
• Propose guidelines
6
Formal Model of the Setuid API
• Finite State Automaton (FSA) model– States: describing the user IDs of a process– Transitions: describing the semantics of the
setuid API calls
ruid=1euid=0suid=0
ruid=1euid=1suid=1
ruid=1euid=1suid=0
setuid(1)
seteuid(1)
seteuid(0)
Abstraction
0: root uid
1: a non-root uid
7
Construct the FSA
• Challenge– Large number of transitions– Manual construction is laborious, error-prone
• Solution– Automatic construction by a state space
explorer:• Exhaustively makes all setuid API calls at each
state of the FSA
• Observes the resulting transitions
8
ruid=1euid=1suid=0
ruid=0euid=0suid=0
ruid=1euid=0suid=0
ruid=0euid=1suid=0
ruid=1euid=0suid=1
ruid=1euid=1suid=1
ruid=0euid=1suid=1
ruid=0euid=0suid=1
setuid(1)seteuid(1)
seteuid(0)
setuid
(0)
setuid(0)
setuid(1)
9
Linux
FreeBSD
FSAs for setuid transitions
10
FSA for setresuid in Linux
11
Benefits of Using Formal Model
• Correctness– Intuition: the transitions in the FSA are
observed from running programs
• Efficiency– The FSA is constructed automatically by the
explorer
• Portability: the explorer is portable to– Different Unix systems– Different versions of kernels
• Lots of applications!
12
Find Documentation Errors
• Incomplete man page– setuid(2) in Redhat Linux 7.2:
fails to mention the Linux capabilities which affect how setuid() behaves
• Wrong man pages– FreeBSD 4.4Unprivileged users may change the ruid to the euid and vice versa
– Redhat Linux 7.2The setgid function checks the egid of the caller and if it is the superuser, …
suid
euid
13
Detect Inconsistencies in OS Kernel
• File system uid (fsuid) in Linux– Is used for filesystem permission checking– Normally follows euid
• An invariant in Linux 2.4.18 (kernel/sys.c)– fsuid is 0 only if at least one of ruid, euid, suid is 0
• Security motivation– Root privilege in fsuid is automatically dropped
when it is dropped from ruid, euid, suid– Ensures that an fsuid-unware application can
safely drop root privilege in fsuid
14
Detect Inconsistencies in OS Kernel (contd.)
• A bug in Linux kernels <= 2.4.18 breaks the invariant– The bug is in setresuid()
• We found the bug using the formal model– Our patch was applied to kernel 2.4.19
• Lessons– Security design is difficult to get right– Formal models are very useful in verifying
security models
15
Check Proper Usage of the Setuid API in Programs
• Questions– Can a setuid API call fail in this program?– Can this program fail to drop privilege?– Which part of this program run with privilege?
• Approach– Model checking security properties in
programs using the FSA of the setuid API
• Results– Found known setuid bugs in sendmail 8.10.1
and 8.12.0
16
Guidelines
• Use setresuid where available– Explicit, clear semantics– Transactional
(vs. setuid which is not transactional)
• Obey the proper order of API calls– Drop group privileges before user privileges
17
Guidelines (contd.)
• Check for errors– Check return code– Verify user IDs are as expected after API calls
(because some calls are not transactional)
– Verify failuresHow to permanently drop privileges confidently?
1. Drop privilege
2. Try to regain privilege
3. Ensure that Step 2 fails
18
Related Work
• Unix man pages• Chris Torek and Casper Dik. Setuid Mess• Matt Bishop. How to write a setuid
program• Timothy Levin, S. Padilla, Cynthia Irvine.
A Formal Model for UNIX Setuid
19
Conclusion: Setuid Demystified
• We’ve identified the precise semantics– Use an FSA model– Built the model automatically by state space
exploration
• Formal models revealed pitfalls and bugs– We discovered semantic pitfalls– We found new documentation errors– We detected the fsuid bug in the Linux kernel– We verified the proper use of setuid API in
some programs
• Follow our guidelines for the setuid API
20
Further Information
http://www.cs.berkeley.edu/~hchen/research/setuid/
21
FSA for setreuid in Linux