Difference between revisions of "Often Misused: Privilege Management"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 +
{{Template:Fortify}}
 +
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
 +
==Abstract==
 +
 +
Failure to adhere to the principle of least privilege amplifies the risk posed by other vulnerabilities.
  
 
==Description==
 
==Description==
 +
 +
Programs that run with root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.
 +
 +
Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another.
 +
 +
Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage.
  
 
==Examples ==
 
==Examples ==
Line 18: Line 30:
  
 
[[Category:Access Control Vulnerability]]
 
[[Category:Access Control Vulnerability]]
 +
 +
[[Category:API Abuse]]
 +
 +
[[Category:Implementation]]
 +
 +
[[Category:Code Snippet]]

Revision as of 09:57, 18 July 2006

This article includes content generously donated to OWASP by Fortify.JPG.

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Abstract

Failure to adhere to the principle of least privilege amplifies the risk posed by other vulnerabilities.

Description

Programs that run with root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.

Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another.

Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage.

Examples

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.