The UNIX Process Identity Crisis: A Standards-Driven Approach to Setuid

Abstract

This work revisits the setuid family of calls for privilege management that is implemented in several widely-used operating systems. Three of the four commonly used calls in the family are standardized by POSIX.

The work investigates the current status of setuid and, in the process, challenges some assertions in prior work. It addresses three sets of questions with regards to the setuid family: (1) Is the POSIX standard indeed broken as prior work suggests? (2) Are implementations POSIX-compliant as claimed? (3) Are the wrapper functions that prior work proposes to circumvent issues with setuid calls correct and usable?

Towards (1), the standards are expressed in a precise syntax that lends itself to a rigorous assessment of whether the standards are unambiguous and logically consistent descriptions of well-formed functions. Under some reasonable assumptions, two of the three functions that are standardized fit these criteria, which challenges assertions in prior work regarding the quality of the standard. In cases wherein the standard is broken, the problem is clearly characterized, and suggestions are given for fixing standard, but at the cost of backwards-compatibility.

Towards (2), a state-space enumeration is performed as in prior work, and a discussion of the implications of non-conformance and differences in implementation is presented.

Towards (3), some issues with prior wrappers are identified. The work proposes a new suite of wrapper functions which are designed with a different mindset from prior work, and provides both stronger guarantees with respect to atomicity and a clearer semantics for permanent and temporary changes in process identity.

With a fresh approach, this work is a contribution to a well-established mechanism for privilege management.