| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
To avoid any environment variable to change setuid binaries
semantics.
Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and
LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to
LD_DEBUG, in the sense they enable additional checks and debug
information, so it makes sense to disable them.
Also add both LD_VERBOSE and LD_WARN on filtered environment variables
for setuid binaries.
Checked on x86_64-linux-gnu.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some environment variables allow alteration of allocator behavior
across setuid boundaries, where a setuid program may ignore the
tunable, but its non-setuid child can read it and adjust the memory
allocator behavior accordingly.
Most library behavior tunings is limited to the current process and does
not bleed in scope; so it is unclear how pratical this misfeature is.
If behavior change across privilege boundaries is desirable, it would be
better done with a wrapper program around the non-setuid child that sets
these envvars, instead of using the setuid process as the messenger.
The patch as fixes tst-env-setuid, where it fail if any unsecvars is
set. It also adds a dynamic test, although it requires
--enable-hardcoded-path-in-tests so kernel correctly sets the setuid
bit (using the loader command directly would require to set the
setuid bit on the loader itself, which is not a usual deployment).
Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Checked on x86_64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
setuid/setgid process now ignores any glibc tunables, and filters out
all environment variables that might changes its behavior. This patch
also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid
processes should set tunable explicitly.
Checked on x86_64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
| |
|
|
|
|
|
|
|
|
| |
GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
tunables are required to propagate past setxid boundary, like their
env_alias. Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
before, restoring behaviour in glibc 2.37 and earlier.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
And make always supported. The configure option was added on glibc 2.25
and some features require it (such as hwcap mask, huge pages support, and
lock elisition tuning). It also simplifies the build permutations.
Changes from v1:
* Remove glibc.rtld.dynamic_sort changes, it is orthogonal and needs
more discussion.
* Cleanup more code.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
| |
|
|
|
|
|
|
| |
It is solely for prelink with PIE executables [1].
[1] https://sourceware.org/legacy-ml/libc-hacker/2003-11/msg00127.html
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The LD_HWCAP_MASK environment variable may alter the selection of
function variants for some architectures. For AT_SECURE process it
means that if an outdated routine has a bug that would otherwise not
affect newer platforms by default, LD_HWCAP_MASK will allow that bug
to be exploited.
To be on the safe side, ignore and disable LD_HWCAP_MASK for setuid
binaries.
[BZ #21209]
* elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for
AT_SECURE processes.
* sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK.
* elf/tst-env-setuid.c (test_parent): Test LD_HWCAP_MASK.
(test_child): Likewise.
* elf/Makefile (tst-env-setuid-ENV): Add LD_HWCAP_MASK.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A setxid program that uses a glibc with tunables disabled may pass on
GLIBC_TUNABLES as is to its child processes. If the child process
ends up using a different glibc that has tunables enabled, it will end
up getting access to unsafe tunables. To fix this, remove
GLIBC_TUNABLES from the environment for setxid process.
* sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
* elf/tst-env-setuid-tunables.c
(test_child_tunables)[!HAVE_TUNABLES]: Verify that
GLIBC_TUNABLES is removed in a setgid process.
|
| |
|
|
|
|
|
| |
* nis/nis_defaults.c (__nis_default_access): Don't call getenv twice.
* nis/nis_subr.c (nis_getnames): Use __secure_getenv instead of getenv.
* sysdeps/generic/unsecvars.h: Add NIS_PATH.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sysdeps/generic/libc-start.c: Don't register program destructor here.
* dlfcn/Makefile: Add rules to build dlfcn.c.
(LDFLAGS-dl.so): Removed.
* dlfcn/dlclose.c: _dl_close is now in ld.so, use function pointer
table.
* dlfcn/dlmopen.c: Likewise for _dl_open.
* dlfcn/dlopen.c: Likewise.
* dlfcn/dlopenold.c: Likewise.
* elf/dl-libc.c: Likewise for _dl_open and _dl_close.
* elf/Makefile (routines): Remove dl-open and dl-close.
(dl-routines): Add dl-open, dl-close, and dl-trampoline.
Add rules to build and run tst-audit1.
* elf/tst-audit1.c: New file.
* elf/tst-auditmod1.c: New file.
* elf/Versions [libc]: Remove _dl_open and _dl_close.
* elf/dl-close.c: Change for use inside ld.so instead of libc.so.
* elf/dl-open.c: Likewise.
* elf/dl-debug.c (_dl_debug_initialize): Allow reinitialization,
signaled by nonzero parameter.
* elf/dl-init.c: Fix use of r_state.
* elf/dl-load.c: Likewise.
* elf/dl-close.c: Add auditing checkpoints.
* elf/dl-open.c: Likewise.
* elf/dl-fini.c: Likewise.
* elf/dl-load.c: Likewise.
* elf/dl-sym.c: Likewise.
* sysdeps/generic/libc-start.c: Likewise.
* elf/dl-object.c: Allocate memory for auditing information.
* elf/dl-reloc.c: Remove RESOLV. We now always need the map.
Correctly initialize slotinfo.
* elf/dynamic-link.h: Adjust after removal of RESOLV.
* sysdeps/hppa/dl-lookupcfg.h: Likewise.
* sysdeps/ia64/dl-lookupcfg.h: Likewise.
* sysdeps/powerpc/powerpc64/dl-lookupcfg.h: Removed.
* elf/dl-runtime.c (_dl_fixup): Little cleanup.
(_dl_profile_fixup): New parameters to point to register struct and
variable for frame size.
Add auditing checkpoints.
(_dl_call_pltexit): New function.
Don't define trampoline code here.
* elf/rtld.c: Recognize LD_AUDIT. Load modules on startup.
Remove all the functions from _rtld_global_ro which only _dl_open
and _dl_close needed.
Add auditing checkpoints.
* elf/link.h: Define symbols for auditing interfaces.
* include/link.h: Likewise.
* include/dlfcn.h: Define __RTLD_AUDIT.
Remove prototypes for _dl_open and _dl_close.
Adjust access to argc and argv in libdl.
* dlfcn/dlfcn.c: New file.
* sysdeps/generic/dl-lookupcfg.h: Remove all content now that RESOLVE
is gone.
* sysdeps/generic/ldsodefs.h: Add definitions for auditing interfaces.
* sysdeps/generic/unsecvars.h: Add LD_AUDIT.
* sysdeps/i386/dl-machine.h: Remove trampoline code here.
Adjust for removal of RESOLVE.
* sysdeps/x86_64/dl-machine.h: Likewise.
* sysdeps/generic/dl-trampoline.c: New file.
* sysdeps/i386/dl-trampoline.c: New file.
* sysdeps/x86_64/dl-trampoline.c: New file.
* sysdeps/generic/dl-tls.c: Cleanups. Fixup for dtv_t change.
Fix updating of DTV.
* sysdeps/generic/libc-tls.c: Likewise.
* sysdeps/arm/bits/link.h: Renamed to ...
* sysdeps/arm/buts/linkmap.h: ...this.
* sysdeps/generic/bits/link.h: Renamed to...
* sysdeps/generic/bits/linkmap.h: ...this.
* sysdeps/hppa/bits/link.h: Renamed to...
* sysdeps/hppa/bits/linkmap.h: ...this.
* sysdeps/hppa/i386/link.h: Renamed to...
* sysdeps/hppa/i386/linkmap.h: ...this.
* sysdeps/hppa/ia64/link.h: Renamed to...
* sysdeps/hppa/ia64/linkmap.h: ...this.
* sysdeps/hppa/s390/link.h: Renamed to...
* sysdeps/hppa/s390/linkmap.h: ...this.
* sysdeps/hppa/sh/link.h: Renamed to...
* sysdeps/hppa/sh/linkmap.h: ...this.
* sysdeps/hppa/x86_64/link.h: Renamed to...
* sysdeps/hppa/x86_64/linkmap.h: ...this.
2005-01-06 Ulrich Drepper <drepper@redhat.com>
* allocatestack.c (init_one_static_tls): Adjust initialization of DTV
entry for static tls deallocation fix.
* sysdeps/alpha/tls.h (dtv_t): Change pointer type to be struct which
also contains information whether the memory pointed to is static
TLS or not.
* sysdeps/i386/tls.h: Likewise.
* sysdeps/ia64/tls.h: Likewise.
* sysdeps/powerpc/tls.h: Likewise.
* sysdeps/s390/tls.h: Likewise.
* sysdeps/sh/tls.h: Likewise.
* sysdeps/sparc/tls.h: Likewise.
* sysdeps/x86_64/tls.h: Likewise.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
2004-12-01 Jakub Jelinek <jakub@redhat.com>
* elf/rtld.c (process_envvars): Don't consider LD_SHOW_AUXV
and LD_DYNAMIC_WEAK if __libc_enable_secure.
If __libc_enable_secure, /etc/suid-debug doesn't exist and
program will be actually run, turn off all debugging.
* sysdeps/generic/unsecvars.h (UNSECURE_ENVVARS): Add LD_DEBUG,
LD_DYNAMIC_WEAK and LD_SHOW_AUXV.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
2004-11-26 Jakub Jelinek <jakub@redhat.com>
* sysdeps/generic/unsecvars.h (UNSECURE_ENVVARS): Add GETCONF_DIR.
2004-11-26 Kaz Kojima <kkojima@rr.iij4u.or.jp>
* sysdeps/unix/sysv/linux/mips/pread.c: Include sgidefs.h only if
NO_SGIDEFS_H isn't defined. Don't include sgidefs.h twice.
* sysdeps/unix/sysv/linux/mips/pwrite.c: Likewise.
* sysdeps/unix/sysv/linux/mips/pread64.c: Likewise.
* sysdeps/unix/sysv/linux/mips/pwrite64.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2003-11-25 Ulrich Drepper <drepper@redhat.com>
* posix/runptests.c (main): Make errors fatal.
* posix/PTESTS: One test in GA135 and GA136 check functionality
which seems not guaranteed.
2003-11-25 Jakub Jelinek <jakub@redhat.com>
* posix/regexec.c (re_search_internal): If prune_impossible_nodes
returned REG_NOMATCH, set match_last to -1. Don't initialize
pmatch[0] needlessly. Fix comment.
(prune_impossible_nodes): Don't segfault on NULL state_log entry.
(set_regs): Fix comment.
* posix/regcomp.c (parse_bracket_exp): Only set has_plural_match
if adding both SIMPLE_BRACKET and COMPLEX_BRACKET.
(build_charclass_op): Set has_plural_match if adding both
SIMPLE_BRACKET and COMPLEX_BRACKET.
* posix/bug-regex11.c (tests): Fix register values for one commented
out test. Add new tests.
* posix/regex_internal.c (re_string_allocate): Make sure init_len
is at least dfa->mb_cur_max.
(re_string_reconstruct): If is_utf8, don't fall back into
re_string_skip_chars just because idx points into a middle of
valid UTF-8 character. Instead, set the wcs bytes which correspond
to the partial character bytes to WEOF.
* posix/regexec.c (re_search_internal): Allocate input.bufs_len + 1
instead of dfa->nodes_len + 1 state_log entries initially.
* posix/bug-regex20.c (main): Uncomment backwards case insensitive
tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* elf/elf.h: Add dynamic tag definitions for prelinking.
* elf/rtld.c (process_envvars): Avoid using array of string pointers.
Rewrite code to remove environment varables for SUID binaries.
Small optimization in LD_PROFILE handling.
* sysdeps/generic/unsecvars.h: Adjust format for process_envvars
changes.
* sysdeps/unix/sysv/linux/i386/dl-librecon.h: Likewise.
* sysdeps/generic/dl-sysdep.c: Don't initialize _dl_cpuclock_offset.
|
| |
|
|
|
| |
* resolv/res_query.c: Use simply getenv() for HOSTALIASES.
* sysdeps/generic/unsecvars.h (UNSECURE_ENVVARS): Add HOSTALIASES.
|
| |
|
|
| |
* sysdeps/generic/unsecvars.h (UNSECURE_ENVVARS): Add missing comma.
|
|
|
2000-09-26 Thorsten Kukuk <kukuk@suse.de>
* nscd/dbg_log.c (dbg_log): Add missing format string.
* catgets/catgets.c (catopen): Use getenv instead of __secure_getenv
since we filter out the variable once.
* iconv/gconv_conf.c (__gconv_get_path): Likewise.
* locale/newlocale.c (__newlocale): Likewise.
* locale/setlocale.c (setlocale): Likewise.
* malloc/malloc.c (ptmalloc_init): Likewise.
* resolv/res_hconf.c (_res_hconf_init): Likewise.
* resolv/res_init.c (__res_vinit): Likewise.
* time/tzfile.c (__tzfile_read): Likewise.
* sysdeps/generic/unsecvars.h: New file.
* elf/dl-support.c (non_dynamic_init): Use it here to remove variables.
* elf/rtld.c (process_envvars): Likewise.
* elf/Makefile (distribute): Add unsecvars.h.
|
