Chapter 9 - UNIX I: Privileges and Files

blog December 19th, 2006

Overview

Ahh, good old Unix. This chapter is the first of two chapters we wrote on auditing Unix software. In this chapter, we first talk about the Unix security model and give a process for auditing code that uses the Unix privilege management APIs. Then, we talk about files and the file system, covering the basic file security model first, and then going in-depth into attacks such as insufficient permissions, linking attacks, race conditions, and temporary file exposures. We finish the discussion off with a quick survey of the security nuances of the stdio file interface.

External Resources

pathname.com’s "Filesystem Hierarchy Standard"
Chen, Wagner, and Dean’s "Setuid Demystified"
Jan Wolter’s "Unix Incompatibility Notes: UID Function Setting"
Solar Designer’s John the Ripper
Olaf Kirch’s "Symlinks and Cryogenic Sleep"
Michal Zalewski’s "Problems with mkstemp()"

External References

Wikipedia entry on GECOS. (Page 462)
plaguez’s XFree86 SVGA server advisory. (Page 478)
rsync group privileges vulnerability. (Page 480)
Zalewski’s sendmail 8.12.0 privilege retention vulnerability. (Page 482)
Zimmerman’s tcptraceroute advisory. (Page 487)
FreeBSD inetd IDENT advisory. (Page 487)
Wojciech Purczynski’s Sendmail Linux capabilities vulnerability. (Page 494)
Przemyslaw Frasunek’s libutil OpenSSH advisory. (Page 500)
Alex Belits’ tftpd pathname validation vulnerability. (Page 505)
8lgm’s binmail advisory. (Page 532)
Wojciech Purczynski’s GNU file utils advisory. (Page 537)
Nick Cleaton’s fts race condition advisory. (Page 538)
cstrings tempnam() race condition. (Page 541)

Mirrored Software

rsync-2.5.2 - Supplemental Groups Vulnerability, page 481
sendmail-8.12.0 - Privilege Retention Vulnerability, page 482
tcptraceroute-1.5beta3 - Privilege Retention Vulnerability, page 486
FreeBSD inetd builtins.c - Listing 9-2, page 487
Netkit-0.09 - tftpd Path Traversal Vulnerability, page 506
kerb5-1.2 - Listing 9-4, page 529
BSD mail.local.c, Race Condition Vulnerability, page 530
xpdf-0.90 - tmpnam() Vulnerability, page 541
cstrings-2.2 - tempnam() Vulnerability, page 542

Relevant Blog Posts

Zalewski-vision
Copy editors are scary
Spreekt u Nederlands?

Further Reading and Discussion

It’s a considerable oversight that we didn’t directly mention David Wheeler’s excellent Secure Programming for Linux and Unix HOWTO — Creating Secure Software. It’s essentially a high-quality book on secure programming that’s available for free.

W. Richard Stephen’s Advanced Programming in the UNIX Environment is a classic.

More to come.

Permanent Link | Trackback URI | Comments RSS

Leave a Reply