1

Setuid Demystified

Hao Chen David Wagner

UC Berkeley

Drew Dean

SRI International

2

The Setuid API

• User ID model: the basis for access control in Unix

• Each process has three user IDs:– ruid: the real user ID– euid: the effective user ID– suid: the saved user ID

• The setuid API offers these system calls:– setuid, seteuid, setreuid, setresuid

3

The Mystery

• Which user IDs does setuid(x) set? – FreeBSD: always ruid=euid=suid=x– Linux/Solaris:

always euid=x, sometimes ruid=suid=x

• Do these calls always succeed?– setuid ( geteuid ( ) )

• May fail in Linux and Solaris

– seteuid ( geteuid ( ) )• May fail in FreeBSD

– setreuid ( geteuid ( ) , getuid ( ) )• May fail in FreeBSD

4

The Problems

• Semantic mess– Design: confusing, surprising– Portability: semantic differences among OSs

(e.g. Linux, Solaris, FreeBSD)– Documentation: incomplete, inaccurate, or

incorrect

• Reason: historical artifacts• Vulnerabilities

– Sendmail 8.10.1 and 8.12.0, etc.

5

Outline: Demystify the Setuid API

• Identify the precise semantics– Use a formal model– Build the model automatically by state space

exploration

• Check for– Semantic pitfalls– Documentation errors– Inconsistency in OS kernels– Proper use of API calls in programs

• Propose guidelines

6

Formal Model of the Setuid API

• Finite State Automaton (FSA) model– States: describing the user IDs of a process– Transitions: describing the semantics of the

setuid API calls

ruid=1euid=0suid=0

ruid=1euid=1suid=1

ruid=1euid=1suid=0

setuid(1)

seteuid(1)

seteuid(0)

Abstraction

0: root uid

1: a non-root uid

7

Construct the FSA

• Challenge– Large number of transitions– Manual construction is laborious, error-prone

• Solution– Automatic construction by a state space

explorer:• Exhaustively makes all setuid API calls at each

state of the FSA

• Observes the resulting transitions

8

ruid=1euid=1suid=0

ruid=0euid=0suid=0

ruid=1euid=0suid=0

ruid=0euid=1suid=0

ruid=1euid=0suid=1

ruid=1euid=1suid=1

ruid=0euid=1suid=1

ruid=0euid=0suid=1

setuid(1)seteuid(1)

seteuid(0)

setuid

(0)

setuid(0)

setuid(1)

9

Linux

FreeBSD

FSAs for setuid transitions

10

FSA for setresuid in Linux

11

Benefits of Using Formal Model

• Correctness– Intuition: the transitions in the FSA are

observed from running programs

• Efficiency– The FSA is constructed automatically by the

explorer

• Portability: the explorer is portable to– Different Unix systems– Different versions of kernels

• Lots of applications!

12

Find Documentation Errors

• Incomplete man page– setuid(2) in Redhat Linux 7.2:

fails to mention the Linux capabilities which affect how setuid() behaves

• Wrong man pages– FreeBSD 4.4Unprivileged users may change the ruid to the euid and vice versa

– Redhat Linux 7.2The setgid function checks the egid of the caller and if it is the superuser, …

suid

euid

13

Detect Inconsistencies in OS Kernel

• File system uid (fsuid) in Linux– Is used for filesystem permission checking– Normally follows euid

• An invariant in Linux 2.4.18 (kernel/sys.c)– fsuid is 0 only if at least one of ruid, euid, suid is 0

• Security motivation– Root privilege in fsuid is automatically dropped

when it is dropped from ruid, euid, suid– Ensures that an fsuid-unware application can

safely drop root privilege in fsuid

14

Detect Inconsistencies in OS Kernel (contd.)

• A bug in Linux kernels <= 2.4.18 breaks the invariant– The bug is in setresuid()

• We found the bug using the formal model– Our patch was applied to kernel 2.4.19

• Lessons– Security design is difficult to get right– Formal models are very useful in verifying

security models

15

Check Proper Usage of the Setuid API in Programs

• Questions– Can a setuid API call fail in this program?– Can this program fail to drop privilege?– Which part of this program run with privilege?

• Approach– Model checking security properties in

programs using the FSA of the setuid API

• Results– Found known setuid bugs in sendmail 8.10.1

and 8.12.0

16

Guidelines

• Use setresuid where available– Explicit, clear semantics– Transactional

(vs. setuid which is not transactional)

• Obey the proper order of API calls– Drop group privileges before user privileges

17

Guidelines (contd.)

• Check for errors– Check return code– Verify user IDs are as expected after API calls

(because some calls are not transactional)

– Verify failuresHow to permanently drop privileges confidently?

1. Drop privilege

2. Try to regain privilege

3. Ensure that Step 2 fails

18

Related Work

• Unix man pages• Chris Torek and Casper Dik. Setuid Mess• Matt Bishop. How to write a setuid

program• Timothy Levin, S. Padilla, Cynthia Irvine.

A Formal Model for UNIX Setuid

19

Conclusion: Setuid Demystified

• We’ve identified the precise semantics– Use an FSA model– Built the model automatically by state space

exploration

• Formal models revealed pitfalls and bugs– We discovered semantic pitfalls– We found new documentation errors– We detected the fsuid bug in the Linux kernel– We verified the proper use of setuid API in

some programs

• Follow our guidelines for the setuid API

20

Further Information

http://www.cs.berkeley.edu/~hchen/research/setuid/

21

FSA for setreuid in Linux