This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure
- From: "busterb at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 29 Jun 2014 03:16:36 +0000
- Subject: [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
Bug ID: 17100
Summary: secure_getenv() does not seem to properly detect if an
environment is secure
Product: glibc
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: busterb at gmail dot com
CC: drepper.fsp at gmail dot com
Until getauxval(AT_SECURE) was added, there did not appear to be a good way to
detect if a process is running setuid/setgid or not. You can find various
discussions about how to implement the BSD issetugid() function on Linux for
reference.
Checks like (uid==euid||gid==egid) can fail in various ways, e.g. it cannot
detect if a process has changed its uid/gid back, it is racy in multi-threaded
contexts, among other issues. I think that future glibc versions should only
use AT_SECURE, removing the getuid/geteuid check. If AT_SECURE is unavailable,
just assume the worst.
<snip>
case AT_SECURE:
seen = -1;
__libc_enable_secure = av->a_un.a_val;
__libc_enable_secure_decided = 1;
<snip>
__libc_init_secure (void)
{
if (__libc_enable_secure_decided == 0)
__libc_enable_secure = (__geteuid () != __getuid ()
|| __getegid () != __getgid ());
}
<snip>
char *
__libc_secure_getenv (name)
const char *name;
{
return __libc_enable_secure ? NULL : getenv (name);
}
--
You are receiving this mail because:
You are on the CC list for the bug.