Comments on: 5 Things You Don’t Know About User IDs That Will Destroy You

By: "setuid demystified" is flawed

"setuid demystified" is flawed — Fri, 01 May 2009 09:36:08 +0000

Actually, it turns out that the “setuid demystified” paper was seriously flawed, which is why those guys wrote a followup paper titled “revising setuid demystified” [USENIX ;login 2008], see: http://www.eecs.berkeley.edu/~daw/papers/setuid...

They also made the code that supposedly safely manipulates identity available here: http://code.google.com/p/change-process-identity/

By: Khang Toh

Khang Toh — Mon, 27 Apr 2009 13:50:51 +0000

Did you you submit a patch for starling?

By: Jesse Farmer

Jesse Farmer — Thu, 16 Apr 2009 22:38:37 +0000

Bibble,

What you said is true but irrelevant. People aren’t writing insecure code intentionally, they’re writing it because they don’t know how these things work!

The solution isn’t to rant and rave about idiot engineers, it’s to design systems and libraries that are easy to understand and do the right thing, and make up the difference by educating people.

That’s exactly what Joe is doing.

By: James

James — Wed, 15 Apr 2009 18:25:53 +0000

Stevens was a great author and teacher, but UNIX systems have evolved since then and his books do not apply to many current UNIX systems. To better understand UIDs and security, I recommend Chen’s paper “SetUID Demystified” from USENIX Security 2002. It can be found at http://www.eecs.berkeley.edu/~daw/papers/setuid-usenix02.pdf. Matt Bishop’s Writing Safe SetUID Programs at http://nob.cs.ucdavis.edu/bishop/secprog/ is another essential reference.

By: Cameron Kerr

Cameron Kerr — Wed, 15 Apr 2009 02:09:58 +0000

Good coverage, although you didn’t make any mention of the added file-system permissions that Linux uses.

setfsuid(2) etc., credentials(7) and also capabilities(7) are useful manual pages for further exploration for Linux developers.

By: Bibble

Bibble — Tue, 14 Apr 2009 09:20:32 +0000

UNIX UIDs are not as hard to understand as you imagine. Stevens covered it years and years ago.

If you don’t understand how they work you shouldn’t run anything as root. If you don’t know how to safely drop privileges from UID 0 to some other userm then you don’t know how to write secure code.

Anyone who thinks they can learn secure programming from the odd page here and there of code snippets is mistaken.

By: Chris Gaffney

Chris Gaffney — Mon, 13 Apr 2009 20:27:40 +0000

@Khang Toh: Yep, Starling has been patched. We’re collecting a couple items before we do the next release.

By: Joe Damato

Joe Damato — Mon, 13 Apr 2009 20:09:51 +0000

@jelle – I probably should have been more clear, but I was referring to the case where you are calling setuid() as root to drop privileges.

In that case, all 3 IDs are set to the ID passed in.

Sorry about the confusion, I’ll see if I can make it a bit more clear.

By: Jelle

Jelle — Mon, 13 Apr 2009 19:38:10 +0000

You’re wrong about setuid (atleast on linux), see:
http://linux.die.net/man/2/setuid
setuid() sets the effective user ID of the current process. If the effective UID of the caller is root, the real UID and saved set-user-ID are also set.

By: Joe Damato

Joe Damato — Mon, 13 Apr 2009 19:31:06 +0000

@Khang Toh: Yep.