Holes in the Armor 245Superuser: The Superflaw
All multiuser operating systems need privileged accounts. Virtually all
multiuser operating systems other than Unix apportion privilege according
to need. Unix’s “Superuser” is all-or-nothing. An administrator who can
change people’s passwords must also, by design, be able to wipe out every
file on the system. That high school kid you’ve hired to do backups might
accidentally (or intentionally) leave your system open to attack.
Many Unix programs and utilities require Superuser privileges. Complex
and useful programs need to create files or write in directories to which the
user of the program does not have access. To ensure security, programs
that run as superuser must be carefully scrutinized to ensure that they
exhibit no unintended side effects and have no holes that could be
exploited to gain unauthorized superuser access. Unfortunately, this secu-
rity audit procedure is rarely performed (most third-party software vendors,
for example, are unwilling to disclose their sourcecode to their customers,
so these companies couldn’t even conduct an audit if they wanted).
The Problem with SUID
The Unix concept called SUID, or setuid, raises as many security problems
as the superuser concept does. SUID is a built-in security hole that provides
a way for regular users to run commands that require special privileges to
operate. When run, an SUID program assumes the privileges of the person
who installed the program, rather than the person who is running the pro-
gram. Most SUID programs are installed SUID root, so they run with supe-
ruser privileges.
The designers of the Unix operating system would have us believe that
SUID is a fundamental requirement of an advanced operating system. The
most common example given is /bin/passwd, the Unix program that lets
users change their passwords. The /bin/passwd program changes a user’s
password by modifying the contents of the file /etc/passwd. Ordinary users
can’t be allowed to directly modify /etc/passwd because then they could
change each other's passwords. The /bin/passwd program, which is run by
mere users, assumes superuser privileges when run and is constructed to
change only the password of the user running it and nobody else’s.
Unfortunately, while /bin/passwd is running as superuser, it doesn’t just
have permission to modify the file /etc/passwd: it has permission to mod-
ify any file, indeed, do anything it wants. (After all, it’s running as root,
with no security checks). If it can be subverted while it is running—for
example, if it can be convinced to create a subshell—then the attacking
user can inherit these superuser privileges to control the system.