diff options
Diffstat (limited to 'stdlib')
-rw-r--r-- | stdlib/Makefile | 4 | ||||
-rw-r--r-- | stdlib/Versions | 7 | ||||
-rw-r--r-- | stdlib/secure-getenv.c | 13 | ||||
-rw-r--r-- | stdlib/stdlib.h | 4 | ||||
-rw-r--r-- | stdlib/tst-secure-getenv.c | 250 |
5 files changed, 272 insertions, 6 deletions
diff --git a/stdlib/Makefile b/stdlib/Makefile index f7811c5bbb..10674f2cd7 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -68,7 +68,9 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ tst-makecontext2 tst-strtod6 tst-unsetenv1 \ - tst-makecontext3 bug-getcontext bug-fmtmsg1 + tst-makecontext3 bug-getcontext bug-fmtmsg1 \ + tst-secure-getenv +tests-static := tst-secure-getenv include ../Makeconfig diff --git a/stdlib/Versions b/stdlib/Versions index 2aa396ecb7..250bd5fad7 100644 --- a/stdlib/Versions +++ b/stdlib/Versions @@ -6,7 +6,7 @@ libc { # functions used in inline functions or macros __strto*_internal; - # functions used in other libraries + # compatibility symbol __secure_getenv; # a* @@ -103,11 +103,16 @@ libc { GLIBC_2.13 { __fentry__; } + GLIBC_2.17 { + secure_getenv; + } GLIBC_PRIVATE { # functions which have an additional interface since they are # are cancelable. __libc_system; # Variable which needs a dynamic symbol table entry. __abort_msg; + # Used from other libraries + __libc_secure_getenv; } } diff --git a/stdlib/secure-getenv.c b/stdlib/secure-getenv.c index f64759f09b..2e696e90f0 100644 --- a/stdlib/secure-getenv.c +++ b/stdlib/secure-getenv.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991, 1992, 1994, 1996, 2002 Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -18,13 +18,20 @@ #include <stdlib.h> #include <unistd.h> +#include <shlib-compat.h> + /* Some programs and especially the libc itself have to be careful what values to accept from the environment. This special version checks for SUID or SGID first before doing any work. */ char * -__secure_getenv (name) +__libc_secure_getenv (name) const char *name; { return __libc_enable_secure ? NULL : getenv (name); } -libc_hidden_def (__secure_getenv) +weak_alias (__libc_secure_getenv, secure_getenv) +libc_hidden_weak (__libc_secure_getenv) + +#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_16) +compat_symbol (libc, __libc_secure_getenv, __secure_getenv, GLIBC_2_0); +#endif diff --git a/stdlib/stdlib.h b/stdlib/stdlib.h index f652eda3fe..cf3f39ca84 100644 --- a/stdlib/stdlib.h +++ b/stdlib/stdlib.h @@ -568,10 +568,12 @@ __BEGIN_NAMESPACE_STD extern char *getenv (const char *__name) __THROW __nonnull ((1)) __wur; __END_NAMESPACE_STD +#ifdef __USE_GNU /* This function is similar to the above but returns NULL if the programs is running with SUID or SGID enabled. */ -extern char *__secure_getenv (const char *__name) +extern char *secure_getenv (const char *__name) __THROW __nonnull ((1)) __wur; +#endif #if defined __USE_SVID || defined __USE_XOPEN /* The SVID says this is in <stdio.h>, but this seems a better place. */ diff --git a/stdlib/tst-secure-getenv.c b/stdlib/tst-secure-getenv.c new file mode 100644 index 0000000000..76d8de6ed4 --- /dev/null +++ b/stdlib/tst-secure-getenv.c @@ -0,0 +1,250 @@ +/* Copyright (C) 2012 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +/* Test that secure_getenv works by invoking the test as a SGID + program with a group ID from the supplementary group list. This + test can fail spuriously if the user is not a member of a suitable + supplementary group. */ + +#include <errno.h> +#include <fcntl.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <unistd.h> + +static char MAGIC_ARGUMENT[] = "run-actual-test"; +#define MAGIC_STATUS 19 + +static const char *test_dir; + +/* Return a GID which is not our current GID, but is present in the + supplementary group list. */ +static gid_t +choose_gid (void) +{ + const int count = 64; + gid_t groups[count]; + int ret = getgroups (count, groups); + if (ret < 0) + { + perror ("getgroups"); + exit (1); + } + gid_t current = getgid (); + for (int i = 0; i < ret; ++i) + { + if (groups[i] != current) + return groups[i]; + } + return 0; +} + + +/* Copies the executable into a restricted directory, so that we can + safely make it SGID with the TARGET group ID. Then runs the + executable. */ +static int +run_executable_sgid (gid_t target) +{ + char *dirname = 0; + char *execname = 0; + int infd = -1; + int outfd = -1; + int ret = -1; + if (asprintf (&dirname, "%s/secure-getenv.%jd", + test_dir, (intmax_t) getpid ()) < 0) + { + perror ("asprintf"); + goto err; + } + if (mkdir (dirname, 0700) < 0) + { + perror ("mkdir"); + goto err; + } + if (asprintf (&execname, "%s/bin", dirname) < 0) + { + perror ("asprintf"); + goto err; + } + infd = open ("/proc/self/exe", O_RDONLY); + if (infd < 0) + { + perror ("open"); + goto err; + } + outfd = open (execname, O_WRONLY | O_CREAT | O_EXCL, 0700); + if (outfd < 0) + { + perror ("open"); + goto err; + } + char buf[4096]; + for (;;) + { + ssize_t rdcount = read (infd, buf, sizeof (buf)); + if (rdcount < 0) + { + perror ("read"); + goto err; + } + if (rdcount == 0) + break; + char *p = buf; + char *end = buf + rdcount; + while (p != end) + { + ssize_t wrcount = write (outfd, buf, end - p); + if (wrcount == 0) + errno = ENOSPC; + if (wrcount <= 0) + { + perror ("write"); + goto err; + } + p += wrcount; + } + } + if (fchown (outfd, getuid (), target) < 0) + { + perror ("fchown"); + goto err; + } + if (fchmod (outfd, 02750) < 0) + { + perror ("fchmod"); + goto err; + } + if (close (outfd) < 0) + { + perror ("close"); + goto err; + } + if (close (infd) < 0) + { + perror ("close"); + goto err; + } + + int kid = fork (); + if (kid < 0) + { + perror ("fork"); + goto err; + } + if (kid == 0) + { + /* Child process. */ + char *args[] = { execname, MAGIC_ARGUMENT, NULL }; + execve (execname, args, environ); + perror ("execve"); + _exit (1); + } + int status; + if (waitpid (kid, &status, 0) < 0) + { + perror ("waitpid"); + goto err; + } + if (!WIFEXITED (status) || WEXITSTATUS (status) != MAGIC_STATUS) + { + fprintf (stderr, "Unexpected exit status %d from child process\n", + status); + goto err; + } + ret = 0; + +err: + if (outfd >= 0) + close (outfd); + if (infd >= 0) + close (infd); + if (execname) + { + unlink (execname); + free (execname); + } + if (dirname) + { + rmdir (dirname); + free (dirname); + } + return ret; +} + +static int +do_test (void) +{ + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set\n"); + exit (1); + } + if (secure_getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set according to secure_getenv\n"); + exit (1); + } + if (strcmp (getenv ("PATH"), secure_getenv ("PATH")) != 0) + { + fprintf (stderr, "PATH mismatch (%s, %s)\n", + getenv ("PATH"), secure_getenv ("PATH")); + exit (1); + } + + gid_t target = choose_gid (); + if (target == 0) + { + fprintf (stderr, "Could not find a suitable GID user %jd\n", + (intmax_t) getuid ()); + exit (1); + } + return run_executable_sgid (target); +} + +static void +alternative_main (int argc, char **argv) +{ + if (argc == 2 && strcmp (argv[1], MAGIC_ARGUMENT) == 0) + { + if (getgid () == getegid ()) + { + fprintf (stderr, "SGID failed: GID and EGID match (%jd)\n", + (intmax_t) getgid ()); + exit (2); + } + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH variable not present\n"); + exit (3); + } + if (secure_getenv ("PATH") != NULL) + { + fprintf (stderr, "PATH variable not filtered out\n"); + exit (4); + } + exit (MAGIC_STATUS); + } +} + +#define PREPARE(argc, argv) alternative_main(argc, argv) +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |