Setuid Demystified and how it may relate to

Access Control in Unix n Partly based on UIDs n In old unix systems,

Access Control in Unix (contd. ) n n fork() – inherit parent’s uids exec()

Setuid calls setresuid(r, e, s) n seteuid(e) n setreuid(r, e) n setuid(u) Linux specific:

Issue n What exactly is the effect of each call? When does each succeed?

DFA construction n Identify set of all possible states n n Identify all possible

DFA (contd. ) n n Ensure that set of transitions is complete – source

Algorithm correctness n n Equivalence classes of states Equivalence classes of <state, transition> pairs

Correctness (contd. ) n If n n n getstate() – returns rep. from equiv.

Example use n Portability between OSes: Construct “parallel composition” of two FAs n In

(Dis)similarity to stored procedure stuff n n We are not dealing with procedures explicitly

Slides: 12

Download presentation

Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh

Access Control in Unix n Partly based on UIDs n In old unix systems, process had two UIDs: ruid, euid. n n Why? Principle of least privilege Newer unix systems (solaris, bsd, linux), three uids: ruid, euid, suid n Why? To be able to restore to higher privilege

Access Control in Unix (contd. ) n n fork() – inherit parent’s uids exec() – keep uids, unless setuid bit is set, in which case e & suid are set to file owner’s id (Ordinary) access control: based on euid (Meta) access control policy: on what basis can a process change r/e/suid? n setuid system calls

Setuid calls setresuid(r, e, s) n seteuid(e) n setreuid(r, e) n setuid(u) Linux specific: n setfsuid() n set/unset setuid “capability” n

Issue n What exactly is the effect of each call? When does each succeed? Source code inspection n Build some “formal” model – DFA (still need some source code inspection) n n Source code observations – cf. 5. 2

DFA construction n Identify set of all possible states n n Identify all possible transitions n n <r, e, s> identifies a state (except in linux) Maybe return code (error/success) is part of state Equivalence classes of states E. g. , given universe of ids, {0, 1}, all possible calls are: setuid(0), setuid(1), seteuid(0, 1), etc. cf. figure 3

DFA (contd. ) n n Ensure that set of transitions is complete – source code inspection Examples (U = {0, 1} versus U = {1, 2} etc. ) (1) cf. figs 4 (a), (b), (c) (2) cf. fig (5, a) versus fig (6) n Several bugs identified; setuid() call is ambiguous.

Algorithm correctness n n Equivalence classes of states Equivalence classes of <state, transition> pairs for a particular OS

Correctness (contd. ) n If n n n getstate() – returns rep. from equiv. class setstate(s) – OS enters some s’ equiv to s getallstates() – returns pair of sets (S, C) s. t. : n n n Then n n Every state equiv. class is repr. in S Every pair-equiv-class contains an <s, c> s. t. c C buildmodel() corrects models OS behaviour Assertion: |U| = 6 is sufficient.

Example use n Portability between OSes: Construct “parallel composition” of two FAs n In new FA, state is pair (s, s’) n A state is accepting iff s s’ n If there is an execution trace from a nonaccepting state to an accepting state, then potential portability issue n

Their proposed API n cf. figure 13

(Dis)similarity to stored procedure stuff n n We are not dealing with procedures explicitly changing privilege level Ambiguity in how it works “statically” n n Errors in Oracle docs Even if we clearly understand how it works, it doesn’t make sense from some intuitive security standpoint