diff options
author | Brent Cook <busterb@gmail.com> | 2014-07-15 16:30:07 +0000 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-07-19 21:39:18 -0400 |
commit | ddddec106fd17c3aca3287005d21e92f742aa9d4 (patch) | |
tree | b980289dde0d827262451c93780690db16b4272e /src/legacy/isastream.c | |
parent | cec33b2c6079195c687331beda5409f449125b06 (diff) | |
download | musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.gz musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.xz musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.zip |
add issetugid function to check for elevated privilege
this function provides a way for third-party library code to use the same logic that's used internally in libc for suppressing untrusted input/state (e.g. the environment) when the application is running with privleges elevated by the setuid or setgid bit or some other mechanism. its semantics are intended to match the openbsd function by the same name. there was some question as to whether this function is necessary: getauxval(AT_SECURE) was proposed as an alternative. however, this has several drawbacks. the most obvious is that it asks programmers to be aware of an implementation detail of ELF-based systems (the aux vector) rather than simply the semantic predicate to be checked. and trying to write a safe, reliable version of issetugid in terms of getauxval is difficult. for example, early versions of the glibc getauxval did not report ENOENT, which could lead to false negatives if AT_SECURE was not present in the aux vector (this could probably only happen when running on non-linux kernels under linux emulation, since glibc does not support linux versions old enough to lack AT_SECURE). as for musl, getauxval has always properly reported errors, but prior to commit 7bece9c2095ee81f14b1088f6b0ba2f37fecb283, the musl implementation did not emulate AT_SECURE if missing, which would result in a false positive. since musl actually does partially support kernels that lack AT_SECURE, this was problematic. the intent is that library authors will use issetugid if its availability is detected at build time, and only fall back to the unreliable alternatives on systems that lack it. patch by Brent Cook. commit message/rationale by Rich Felker.
Diffstat (limited to 'src/legacy/isastream.c')
0 files changed, 0 insertions, 0 deletions