CWE-272

Least Privilege Violation. [Privilege-Issues, Improper-Access-Control]

Required inputs: IR

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Demonstrative Examples

Example 1

The following example demonstrates the weakness.

Example Language:C
    setuid(0);
    // Do some important stuff
    setuid(old_uid);
    // Do some non privileged stuff.

Example 2

The following example demonstrates the weakness.

Example Language:Java (Unsupported language for documentation only)
    AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
            // privileged code goes here, for example:
            System.loadLibrary("awt");
            return null;
            // nothing to return
        }

Example 3

The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.

Example Language:C
    chroot(APP_HOME);
    chdir("/");
    FILE* data = fopen(argv[1], "r+");
    ...

Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
chroot_without_setuid	The chroot() call should be followed by a setuid() call to drop privileges.	None	False
setuid_zero	Setuid should not be called with 0 as argument, as this grants root privileges.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.