Set-UID Lab

Project Description

Set-UID is an important security mechanism in Unix operating systems. When a Set-UID program is run, it assumes the owner's privileges. For example, if the program's owner is root, then when anyone runs this program, the program gains the root's privileges during its execution. Set-UID allows us to do many interesting things, but unfortunately, it is also the culprit of many bad things. Therefore, the objective of this lab is two-fold: (1) Appreciate its good side: understand why Set-UID is needed and how it is implemented. (2) Be aware of its bad side: understand its potential security problems.

This is an exploration lab. Student's main task is to "play" with the Set-UID mechanism in Minix, and write a lab report to describe their discoveres. Students are required to accomplish the following tasks:

1. Figure out why "passwd", "chsh", and "su" commands need to be Set-UID programs. What will happen if they are not? If you are not familiar with these programs, you should first learn what they can do.
2. Read the OS source codes of Minix, and figure out how Set-UID is implemented in the system. You should answer the following questions, and identify the corresponding codes in Minix.
   • How does the operating system recognize whether a file is a Set-UID?
   • What are the procedures the OS performs when it recognizes the Set-UID file?
   • How does Set-UID affects the access control (i.e., when a Set-UID process tries to access a file, how does the OS check whether the process can access the file or not?).
3. (Bonus) It is well known that security can be compromised if a privileged Set-UID program does not check certain environment variables, such as PATH, LD_LIBRARY_PATH, PD_PRELOAD, etc. This is because environment variables are under user's control; by changing these variables, malicious users can control the behavior of the Set-UID program. To defeat this attack, in most of the UNIX systems, these environment variables are ignored when Set-UID programs are invoked. Please find out whether Minix has implemented such a security mechanism. If yes, how is this mechanism implemented? If not, does the lack of it cause a problem?

4. Modify the OS source code to disable the Set-UID mechanism (note: be creative to think of ways how you can demonstrate that you have successfully disabled Set-UID).

Project Due Date: (1 week)

Helpful Documents

• Checklist for Security of Setuid Programs
• Chen, Wagner, and Dean. Setuid Demystified
• Bishop. How to write a Set-UID program

Updated on 12/21/2005