elf: Ignore LD_PROFILE for setuid binaries - mirror/glibc - mirror of git://sourceware.org/git/glibc.git

diff options

author	Adhemerval Zanella <adhemerval.zanella@linaro.org>	2023-11-06 17:25:45 -0300
committer	Adhemerval Zanella <adhemerval.zanella@linaro.org>	2023-11-21 16:15:42 -0300
commit	4a133885a7c8ae7ebe34e36fcdb353f8e94c810f (patch)
tree	3e7b0282fa619485f4a6f3873457e112b735962b /sysdeps/ia64
parent	1c87f71a36e21fa851117c151b3c492fa3eede5b (diff)
download	glibc-4a133885a7c8ae7ebe34e36fcdb353f8e94c810f.tar.gz glibc-4a133885a7c8ae7ebe34e36fcdb353f8e94c810f.tar.xz glibc-4a133885a7c8ae7ebe34e36fcdb353f8e94c810f.zip

elf: Ignore LD_PROFILE for setuid binaries

Loader does not ignore LD_PROFILE in secure-execution mode (different
than man-page states [1]), rather it uses a different path
(/var/profile) and ignore LD_PROFILE_OUTPUT.

Allowing secure-execution profiling is already a non good security
boundary, since it enables different code paths and extra OS access by
the process.  But by ignoring LD_PROFILE_OUTPUT, the resulting profile
file might also be acceded in a racy manner since the file name does not
use any process-specific information (such as pid, timing, etc.).

Another side-effect is it forces lazy binding even on libraries that
might be with DF_BIND_NOW.

[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Diffstat (limited to 'sysdeps/ia64')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: