[Bug manual/4017] environment cleaning of unsecvars by setuid/gid programs not documented

["bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>]

http://sourceware.org/bugzilla/show_bug.cgi?id=4017

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #2 from Rich Felker <bugdal at aerifal dot cx> 2012-05-06 12:29:26 UTC ---
This behavior is also non-conformant. The library should *ignore* such
environment variables when the program was invoked as suid, but it should not
prune them. A conforming application can expect to be able to inspect them
(e.g. to validate them itself and use them for its own purposes if they're
deemed safe) or have them successfully passed on to a new process or process
image. This latter usage is safe if the program has dropped privileges before
doing so, and if a program running with elevated privileges is going to exec or
spawn child processes without dropping privileges, it MUST clear the whole
environment or at least all but a small whitelisted set of variables to be
secure.

glibc's behavior of pruning the environment actually makes things a lot LESS
secure in the latter case, because programmers may forget (or assume they don't
need) to do this whitelist-based pruning themselves. This is not safe, because
glibc only knows about the variables which it uses, not other
third-party-library-specific or application-specific variables that could be
equally dangerous.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.