The elevated privilege level required to perform operations such as chroot()
should be dropped immediately after the operation is performed.
When a program calls a privileged function, such as chroot()
, it must first acquire root
privilege. As soon as the privileged operation has completed, the program should drop root
privilege and return to the privilege level of the invoking user.
Example: The following code calls chroot()
to restrict the application to a subset of the filesystem below APP_HOME
in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.
...
chroot(APP_HOME);
chdir("/");
FILE* data = fopen(argv[1], "r+");
...
setuid()
with some non-zero value means the application is continuing to operate with unnecessary root
privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root
user, the potential for damage is substantially reduced.
[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3500 CAT II
[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 272
[3] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 7.1.1
[6] A. Chuvakin Using Chroot Securely