| <html lang="en"> |
| <head> |
| <title>Tips for Setuid - The GNU C Library</title> |
| <meta http-equiv="Content-Type" content="text/html"> |
| <meta name="description" content="The GNU C Library"> |
| <meta name="generator" content="makeinfo 4.13"> |
| <link title="Top" rel="start" href="index.html#Top"> |
| <link rel="up" href="Users-and-Groups.html#Users-and-Groups" title="Users and Groups"> |
| <link rel="prev" href="Setuid-Program-Example.html#Setuid-Program-Example" title="Setuid Program Example"> |
| <link rel="next" href="Who-Logged-In.html#Who-Logged-In" title="Who Logged In"> |
| <link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> |
| <!-- |
| This file documents the GNU C library. |
| |
| This is Edition 0.12, last updated 2007-10-27, |
| of `The GNU C Library Reference Manual', for version |
| 2.8 (Sourcery G++ Lite 2011.03-41). |
| |
| Copyright (C) 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2001, 2002, |
| 2003, 2007, 2008, 2010 Free Software Foundation, Inc. |
| |
| Permission is granted to copy, distribute and/or modify this document |
| under the terms of the GNU Free Documentation License, Version 1.3 or |
| any later version published by the Free Software Foundation; with the |
| Invariant Sections being ``Free Software Needs Free Documentation'' |
| and ``GNU Lesser General Public License'', the Front-Cover texts being |
| ``A GNU Manual'', and with the Back-Cover Texts as in (a) below. A |
| copy of the license is included in the section entitled "GNU Free |
| Documentation License". |
| |
| (a) The FSF's Back-Cover Text is: ``You have the freedom to |
| copy and modify this GNU manual. Buying copies from the FSF |
| supports it in developing GNU and promoting software freedom.''--> |
| <meta http-equiv="Content-Style-Type" content="text/css"> |
| <style type="text/css"><!-- |
| pre.display { font-family:inherit } |
| pre.format { font-family:inherit } |
| pre.smalldisplay { font-family:inherit; font-size:smaller } |
| pre.smallformat { font-family:inherit; font-size:smaller } |
| pre.smallexample { font-size:smaller } |
| pre.smalllisp { font-size:smaller } |
| span.sc { font-variant:small-caps } |
| span.roman { font-family:serif; font-weight:normal; } |
| span.sansserif { font-family:sans-serif; font-weight:normal; } |
| --></style> |
| <link rel="stylesheet" type="text/css" href="../cs.css"> |
| </head> |
| <body> |
| <div class="node"> |
| <a name="Tips-for-Setuid"></a> |
| <p> |
| Next: <a rel="next" accesskey="n" href="Who-Logged-In.html#Who-Logged-In">Who Logged In</a>, |
| Previous: <a rel="previous" accesskey="p" href="Setuid-Program-Example.html#Setuid-Program-Example">Setuid Program Example</a>, |
| Up: <a rel="up" accesskey="u" href="Users-and-Groups.html#Users-and-Groups">Users and Groups</a> |
| <hr> |
| </div> |
| |
| <h3 class="section">29.10 Tips for Writing Setuid Programs</h3> |
| |
| <p>It is easy for setuid programs to give the user access that isn't |
| intended—in fact, if you want to avoid this, you need to be careful. |
| Here are some guidelines for preventing unintended access and |
| minimizing its consequences when it does occur: |
| |
| <ul> |
| <li>Don't have <code>setuid</code> programs with privileged user IDs such as |
| <code>root</code> unless it is absolutely necessary. If the resource is |
| specific to your particular program, it's better to define a new, |
| nonprivileged user ID or group ID just to manage that resource. |
| It's better if you can write your program to use a special group than a |
| special user. |
| |
| <li>Be cautious about using the <code>exec</code> functions in combination with |
| changing the effective user ID. Don't let users of your program execute |
| arbitrary programs under a changed user ID. Executing a shell is |
| especially bad news. Less obviously, the <code>execlp</code> and <code>execvp</code> |
| functions are a potential risk (since the program they execute depends |
| on the user's <code>PATH</code> environment variable). |
| |
| <p>If you must <code>exec</code> another program under a changed ID, specify an |
| absolute file name (see <a href="File-Name-Resolution.html#File-Name-Resolution">File Name Resolution</a>) for the executable, |
| and make sure that the protections on that executable and <em>all</em> |
| containing directories are such that ordinary users cannot replace it |
| with some other program. |
| |
| <p>You should also check the arguments passed to the program to make sure |
| they do not have unexpected effects. Likewise, you should examine the |
| environment variables. Decide which arguments and variables are safe, |
| and reject all others. |
| |
| <p>You should never use <code>system</code> in a privileged program, because it |
| invokes a shell. |
| |
| <li>Only use the user ID controlling the resource in the part of the program |
| that actually uses that resource. When you're finished with it, restore |
| the effective user ID back to the actual user's user ID. |
| See <a href="Enable_002fDisable-Setuid.html#Enable_002fDisable-Setuid">Enable/Disable Setuid</a>. |
| |
| <li>If the <code>setuid</code> part of your program needs to access other files |
| besides the controlled resource, it should verify that the real user |
| would ordinarily have permission to access those files. You can use the |
| <code>access</code> function (see <a href="Access-Permission.html#Access-Permission">Access Permission</a>) to check this; it |
| uses the real user and group IDs, rather than the effective IDs. |
| </ul> |
| |
| </body></html> |
| |