diff options
author | Rich Felker <dalias@aerifal.cx> | 2011-08-23 09:37:39 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2011-08-23 09:37:39 -0400 |
commit | df0b5a49406763aa4719dfad561a5de8924ecd59 (patch) | |
tree | 0d5dc42698f2b710dd27156554b10230ba21256b /src/env/__init_security.c | |
parent | c0f344160d22d889460573d003cf349626a38184 (diff) | |
download | musl-df0b5a49406763aa4719dfad561a5de8924ecd59.tar.gz musl-df0b5a49406763aa4719dfad561a5de8924ecd59.tar.xz musl-df0b5a49406763aa4719dfad561a5de8924ecd59.zip |
security hardening: ensure suid programs have valid stdin/out/err
this behavior (opening fds 0-2 for a suid program) is explicitly allowed (but not required) by POSIX to protect badly-written suid programs from clobbering files they later open. this commit does add some cost in startup code, but the availability of auxv and the security flag will be useful elsewhere in the future. in particular auxv is needed for static-linked vdso support, which is still waiting to be committed (sorry nik!)
Diffstat (limited to 'src/env/__init_security.c')
-rw-r--r-- | src/env/__init_security.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/env/__init_security.c b/src/env/__init_security.c new file mode 100644 index 00000000..5fd12ecb --- /dev/null +++ b/src/env/__init_security.c @@ -0,0 +1,26 @@ +#include <stddef.h> +#include <elf.h> +#include <poll.h> +#include <fcntl.h> +#include "syscall.h" +#include "libc.h" +#include "atomic.h" + +#define AUX_CNT 24 + +void __init_security(size_t *auxv) +{ + size_t i, aux[AUX_CNT] = { 0 }; + struct pollfd pfd[3] = { {.fd=0}, {.fd=1}, {.fd=2} }; + + for (; auxv[0]; auxv+=2) if (auxv[0]<AUX_CNT) aux[auxv[0]] = auxv[1]; + if (aux[AT_UID]==aux[AT_EUID] && aux[AT_GID]==aux[AT_EGID] + && !aux[AT_SECURE]) return; + + __syscall(SYS_poll, pfd, 3, 0); + for (i=0; i<3; i++) + if (pfd[i].revents&POLLNVAL) + if (__syscall(SYS_open, "/dev/null", O_RDWR)<0) + a_crash(); + libc.secure = 1; +} |