&& ((va.va_uid == 0) || (va.va_gid == 0)) seems too narrow. (Abusing DYLD to cross trust boundaries still possible!)

[jpouellet]

SUIDGuard.c:104:

    /* now check if this is a SUID/SGID root binary */
    if ((va.va_mode & (VSUID|VSGID)) && ((va.va_uid == 0) || (va.va_gid == 0))) {
        ...
            printf("SUIDGuard: found and neutralized DYLD_ environment variable for SUID/SGID root binary\n");

This makes the implicit assumption that the only trust boundary that matters is that between not-root and root. I assert that this is not a valid assumption.

There are many systems which have suid binaries owned by other users, for which arbitrary file writing is still a very powerful unexpected capability!

Unfortunately I can't test without the check for {u,g}id == 0 to see if anything breaks (which I highly doubt) unless I disable kext signing completely (which I haven't done) since you can't seem to use self-signed kexts and I'm not part of the Apple developer program thing.

Am I missing something?

[stefanesser]

The advertisement for SUIDGuard states that at the moment we only handle SUID/SGID root so this is not a surprise.

Of course there might be SUID/SUGID binaries for other users installed, but that was not a priority because it is not a default thing. I would actually be interested to know what software for OS X installs SUID/SGID binaries that are not SUID/SGID root.

In near future we will change SUIDGuard to cover all SUID/SGID executions and to also kick in for binaries restricted by entitlements (which gets more important with El Captian).