Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh

Access Control in Unix Partly based on UIDs Partly based on UIDs In old unix systems, process had two UIDs: ruid, euid. In old unix systems, process had two UIDs: ruid, euid. Why? Principle of least privilege Why? Principle of least privilege Newer unix systems (solaris, bsd, linux), three uids: ruid, euid, suid Newer unix systems (solaris, bsd, linux), three uids: ruid, euid, suid Why? To be able to restore to higher privilege Why? To be able to restore to higher privilege

Access Control in Unix (contd.) fork() – inherit parent’s uids fork() – inherit parent’s uids exec() – keep uids, unless setuid bit is set, in which case e & suid are set to file owner’s id exec() – keep uids, unless setuid bit is set, in which case e & suid are set to file owner’s id (Ordinary) access control: based on euid (Ordinary) access control: based on euid (Meta) access control policy: on what basis can a process change r/e/suid? (Meta) access control policy: on what basis can a process change r/e/suid? setuid system calls setuid system calls

Setuid calls setresuid(r,e,s) setresuid(r,e,s) seteuid(e) seteuid(e) setreuid(r,e) setreuid(r,e) setuid(u) setuid(u) Linux specific: setfsuid() setfsuid() set/unset setuid “capability” set/unset setuid “capability”

Issue What exactly is the effect of each call? When does each succeed? What exactly is the effect of each call? When does each succeed? Source code inspection Source code inspection Build some “formal” model – DFA (still need some source code inspection) Build some “formal” model – DFA (still need some source code inspection) Source code observations – cf. 5.2 Source code observations – cf. 5.2

DFA construction Identify set of all possible states Identify set of all possible states identifies a state (except in linux) identifies a state (except in linux) Maybe return code (error/success) is part of state Maybe return code (error/success) is part of state Equivalence classes of states Equivalence classes of states Identify all possible transitions Identify all possible transitions E.g., given universe of ids, {0,1}, all possible calls are: setuid(0), setuid(1), seteuid(0,1), etc. E.g., given universe of ids, {0,1}, all possible calls are: setuid(0), setuid(1), seteuid(0,1), etc. cf. figure 3 cf. figure 3

DFA (contd.) Ensure that set of transitions is complete – source code inspection Ensure that set of transitions is complete – source code inspection Examples (U = {0,1} versus U = {1,2} etc.) Examples (U = {0,1} versus U = {1,2} etc.) (1) cf. figs 4 (a), (b), (c) (2) cf. fig (5, a) versus fig (6) Several bugs identified; setuid() call is ambiguous. Several bugs identified; setuid() call is ambiguous.

Algorithm correctness Equivalence classes of states Equivalence classes of states Equivalence classes of pairs for a particular OS Equivalence classes of pairs for a particular OS

Correctness (contd.) If If getstate() – returns rep. from equiv. class getstate() – returns rep. from equiv. class setstate(s) – OS enters some s’ equiv to s setstate(s) – OS enters some s’ equiv to s getallstates() – returns pair of sets (S,C) s.t.: getallstates() – returns pair of sets (S,C) s.t.: Every state equiv. class is repr. in S Every state equiv. class is repr. in S Every pair-equiv-class contains an s.t. c  C Every pair-equiv-class contains an s.t. c  C Then Then buildmodel() corrects models OS behaviour buildmodel() corrects models OS behaviour Assertion: |U| = 6 is sufficient. Assertion: |U| = 6 is sufficient.

Example use Portability between OSes: Portability between OSes: Construct “parallel composition” of two FAs Construct “parallel composition” of two FAs In new FA, state is pair (s,s’) In new FA, state is pair (s,s’) A state is accepting iff s  s’ A state is accepting iff s  s’ If there is an execution trace from a non- accepting state to an accepting state, then potential portability issue If there is an execution trace from a non- accepting state to an accepting state, then potential portability issue

Their proposed API cf. figure 13 cf. figure 13

(Dis)similarity to stored procedure stuff We are not dealing with procedures explicitly changing privilege level We are not dealing with procedures explicitly changing privilege level Ambiguity in how it works “statically” Ambiguity in how it works “statically” Errors in Oracle docs Errors in Oracle docs Even if we clearly understand how it works, it doesn’t make sense from some intuitive security standpoint Even if we clearly understand how it works, it doesn’t make sense from some intuitive security standpoint