Saturday, January 13, 2007


I spent some time looking into the UNIX setuid scheme. Like null terminated strings I have always considered setuid to be an eggregious hack, something that sensible people would avoid using at all costs. Unfortunately like many eggregious hacks there are always people who see them as proof of genius rather than for what they really are.

The problem with setuid though is that it weakens your security foundation even if you try to avoid it. Setuid takes the reference monitor principle and throws it in the trash can. Every executable that has setuid bit set to root has the ability to bypass the reference monitor, as can anyone who can mount a file system or for that matter the file system itself.

Instead of having the security sensitive code concentrated in one place - the reference monitor it is diffused throughout the system. Instead of there being one piece of code to audit there are many.

It is often claimed that UNIX would achieve a B2 rating under the Orange Book. Like the claim that Jules Verne would have been the first person on the moon if he had managed to build a rocket such statements are complete nonsense. The setuid feature should certainly disqualify it.

Does anyone know of a UNIX build without this broken hack?

1 comment:

DM said...

I think HP's Virtual Vault doesn't have suid, but it's been years since I used it.