|
|
There are two forms of special access in UNIX System V. The first is the access granted by the set-id feature, and the second is privilege. In the past these have been bound together through the root effective user identity, and they continue to be bound in superuser-based versions of UNIX System V.
Commands that use the set-id feature to obtain access to files not otherwise available to an invoking user must carefully control not only their own use of these access permissions, but how these permissions are granted to other commands. There is always the possibility of a Trojan Horse when a command executes another command so care must be taken (see ``Executing other commands'') In this section, the issue is incorrect use of special access rights. In general, the best protection against either incorrect use or a Trojan Horse is to reset the effective user and group identity immediately on entry to a command and only use the special identities where they are explicitly needed. The code excerpt in ``Correct regulation of access in C programs'' illustrates the procedure.
static uid_t eff_uid, real_uid; static uid_t eff_gid, real_gid; . . . main(argc, argv) int argc; char *argv[]; { /*Variable declarations*/ eff_uid = geteuid(); eff_gid = getegid(); real_uid = getuid(); real_gid = getgid(); if(seteuid(real_uid) < 0){ /*Set the effective UID to the real*/ error("Cannot reset UID."); /*Report error and exit*/ } if(setegid(real_gid) < 0){ /*Set the effective GID to the real*/ error("Cannot reset GID."); /*Report error and exit*/ } . . . if(setegid(eff_gid) < 0){ /*Assert the effective GID*/ error("Cannot assert GID.");/*Report error and exit*/ } fd = open("/etc/security_file", O_RDWR); if(setegid(real_gid) < 0){ /*Set the effective GID to the real*/ cleanup(); /*Restore consistency*/ error("Cannot reset GID."); /*Report error and exit*/ } if(fd < 0){ error("Cannot open file."); /*Report error and exit*/ } /*Process data*/ . . . close(fd); }
Correct regulation of access in C programs