关于setuid的分析（5）

Simson Garfinkel, Alan Schwartz, Gene Spafford 的 《Practical Unix & Internet Security》 一书中对这个问题的论述。。。
[/url]
16.4 Tips on Writing SUID/SGID Programs
If you are writing programs that are SUID or SGID, you must take added precautions in your programming. An overwhelming number of Unix security problems have been caused by SUID/SGID programs. Consider the rules described in this section in addition to those in previous sections.
1."Don''t do it. Most of the time, it''s not necessary."
    Thanks to Patrick H. Wood and Stephen G. Kochan, Unix System Security (Hayden Books, 1985) for this insightful remark.
2.Avoid writing SUID shell scripts.
3.If you are using SUID to access a special set of files, don''t. Instead, create a special group for your files and make the program SGID to that group. If you must use SUID, create a special user for the purpose.
4.If your program needs to perform some functions as superuser, but generally does not require SUID permissions, consider putting the SUID part in a different program, and constructing a carefully controlled and monitored interface between the two.
5.If you need SUID or SGID permissions, use them for their intended purpose as early in the program as possible, and then revoke them by returning the effective, and real, UIDs and GIDs to those of the process that invoked the program.
6.If you have a program that absolutely must run as SUID, try to avoid equipping the program with a general-purpose interface that allows users to specify much in the way of commands or options.
7.Erase the execution environment, if at all possible, and start fresh. Many security problems have been caused because there was a significant difference between the environment in which the program was run by an attacker and the environment in which the program was developed.
8.If your program must spawn processes, use only the execve( ), execv( ), or execl( ) calls, and use them with great care. Avoid the execlp( ) and execvp( ) calls because they use the PATH environment variable to find an executable, and you might not run what you think you are running. Avoid system( ) and popen( ) at all costs.
9.If you must provide a shell escape, be sure to setgid(getgid( )) and setuid(getuid( )) before executing the user''s command and use them in the correct order! You must reset the group ID before you reset the user ID, or the call will fail.
10.In general, use the setuid( ) and setgid( ) functions and their friends to bracket the sections of your code that require superuser privileges. For example:
    /* setuid program is effectively superuser so it can open the master file */
    fd = open("/etc/masterfile",O_RDONLY);
    assert(seteuid(getuid(  )) == 0);                                                

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有