|
344 | 344 | Such programs used to be one of the most frequent causes of security problems |
345 | 345 | in Unix systems. |
346 | 346 | \item The basic rule for writing SUID/SGID programs is: \emsl{do not write |
347 | | -them} if it is not absolutely necessary. This area is typical as security |
348 | | -problem generator. It is not easy to produce correct (i.e. secure) SUID/SGID |
349 | | -program, especially of higher complexity. |
| 347 | +them} if it is not absolutely necessary. It is not easy to produce a correct |
| 348 | +(i.e. secure) SUID/SGID program, especially of higher complexity. |
350 | 349 | \item \emsl{These are the rules for ID change:} |
351 | 350 | \begin{itemize} |
352 | | -\item ordinary user cannot change its RUID or saved UID (the \texttt{exec} is an |
353 | | -exception to that, see page \pageref{EXEC}) |
| 351 | +\item an ordinary user cannot change its RUID or saved UID (the \texttt{exec} is |
| 352 | +an exception to that, see page \pageref{EXEC}) |
354 | 353 | \item the process can always change its EUID to that of RUID or saved UID. |
355 | 354 | This guarantees that in SUID program it is possible to arbitrarily change EUID |
356 | 355 | between the one that enabled the process to gain ownership rights and the |
|
392 | 391 | \texttt{getruid}. |
393 | 392 | \item \texttt{getgroups}: when \texttt{gidsz~==~0}, it returns the number of |
394 | 393 | groups. When \texttt{0 < gidsz < \#skupin}, it returns \texttt{-1}. |
395 | | -\item In UNIXu there are many data types such as \verb#uid_t#, \verb#gid_t#, |
396 | | -\verb#size_t#, etc. Generally these are integer types, you can often find them |
397 | | -in the \texttt{/usr/inc{}lude/sys/types.h} header file. |
398 | | -\item Solaris has the \texttt{pcred} command, that will print process |
399 | | -idenfitication information in simple form: |
| 394 | +\item In Unix, there are many data types such as \verb#uid_t#, \verb#gid_t#, |
| 395 | +\verb#size_t#, \verb#pid_t#, etc. In general, these are integer types and you |
| 396 | +can often find them in the \texttt{/usr/inc{}lude/sys/types.h} header file. |
| 397 | +\item Solaris has the \texttt{pcred} command that provides process |
| 398 | +idenfitication information in a simple form: |
| 399 | + |
400 | 400 | \begin{verbatim} |
401 | 401 | $ pcred 5464 |
402 | 402 | 5464: e/r/suid=1993 e/r/sgid=110 |
|
430 | 430 | \begin{itemize} |
431 | 431 | \item W.r.t. setting UID for a process with EUID 0 see also the notes on page |
432 | 432 | \pageref{ROOT_SETUID}. |
433 | | -\item To recap the above: a process with effective rights of superuser can |
434 | | -arbitrarily change its identity. The rest can only switch between its read and |
| 433 | +\item To recap the above: a process with effective rights of a superuser can |
| 434 | +arbitrarily change its identity. The rest can only switch between its real and |
435 | 435 | effective IDs. |
436 | 436 | \item The \emph{login} program uses the \texttt{setuid} syscall. |
437 | 437 | \item If a process with UID~==~0 wants to change its identity, it has to call |
|
444 | 444 | called \emph{u-area} (see e.g. [Bach]). |
445 | 445 | \item If a root SUID program calls \texttt{setuid} for UID other than 0, it can |
446 | 446 | no longer return to EUID==0 (this makes sense, imagine a user logging into the |
447 | | -system). For different behavior \texttt{seteuid} (that sets just EUID) would |
| 447 | +system). For a different behavior, \texttt{seteuid} (that sets just EUID) would |
448 | 448 | have to be used. |
449 | 449 | \item Example: \example{setuid/screate-file.c} |
450 | 450 | \end{itemize} |
|
494 | 494 | \item The root user can in some systems create cycle in directory structure |
495 | 495 | however that might confuse file system traversal tools; hence the cyclical |
496 | 496 | structure is not used much. Symbolic links to directories work everywhere. |
497 | | -\item Named pipes (see page \pageref{MKFIFO}) can be used between processes |
498 | | -that do not have ''family'' relationship. Otherwise they work as unnamed pipes. |
| 497 | +\item Named pipes (see page \pageref{MKFIFO}) can be used between processes that |
| 498 | +do not have ''family'' relationship. They work as unnamed pipes otherwise. |
499 | 499 | \item The sockets noticed above are in the UNIX domain, i.e. they serve for |
500 | 500 | communication within one system. The INET domain sockets, used for network |
501 | 501 | communication (see page \pageref{NETWORKING}) are not visible in the file system. |
502 | 502 | jednoho systému. Sokety z domény INET, pøes které probíhá sí»ová komunikace, |
503 | 503 | se v systému souborù neobjevují. Sí»ová komunikace zaèíná na stranì |
504 | 504 | \item Debuggers use process images available through \texttt{/proc}. |
505 | | -On most of u{}nix-like systems the \texttt{/proc} tree contains informations |
506 | | -about kernel and running processes in the form of text files. |
507 | | -\item Modern Unixes contain special \emph{devfs} filesystem, which reflects |
508 | | -actual system configuration w.r.t. connected devices. I.e. after connecting |
509 | | -USB stick a related device will appear under \texttt{/dev}. After physically |
510 | | -disconnecting it, the item will disappear. |
| 505 | +On many Unix-like systems the \texttt{/proc} tree contains information about |
| 506 | +kernel and running processes in the form of text files. However, some systems, |
| 507 | +like Solaris, have those files in a binary form only and provide special |
| 508 | +commands to read those (like \texttt{pargs}, \texttt{pldd}, etc.). |
| 509 | +\item Modern Unix systems contain a special \emph{devfs} filesystem that |
| 510 | +reflects an actual system configuration w.r.t. connected devices. I.e. after |
| 511 | +connecting a USB stick a related device will appear under \texttt{/dev}. After |
| 512 | +physically disconnecting it, the item will disappear. |
511 | 513 | \end{itemize} |
512 | 514 |
|
513 | 515 | \endinput |
0 commit comments