This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/21073] tunables: insecure environment variables passed to subprocesses with AT_SECURE

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 02 Feb 2017 10:41:51 +0000
Subject: [Bug libc/21073] tunables: insecure environment variables passed to subprocesses with AT_SECURE
Auto-submitted: auto-generated
References: <bug-21073-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=21073

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  ed8d5ffd0a14e84298a15ae2ec9b799010166b28 (commit)
       via  8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12 (commit)
      from  9c8e64485360d08d95884bddc0958cf3a5ca9c5c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ed8d5ffd0a14e84298a15ae2ec9b799010166b28

commit ed8d5ffd0a14e84298a15ae2ec9b799010166b28
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Thu Feb 2 15:48:06 2017 +0530

    Drop GLIBC_TUNABLES for setxid programs when tunables is disabled (bz
#21073)

    A setxid program that uses a glibc with tunables disabled may pass on
    GLIBC_TUNABLES as is to its child processes.  If the child process
    ends up using a different glibc that has tunables enabled, it will end
    up getting access to unsafe tunables.  To fix this, remove
    GLIBC_TUNABLES from the environment for setxid process.

        * sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
        * elf/tst-env-setuid-tunables.c
        (test_child_tunables)[!HAVE_TUNABLES]: Verify that
        GLIBC_TUNABLES is removed in a setgid process.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12

commit 8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Thu Feb 2 15:46:01 2017 +0530

    tunables: Fix environment variable processing for setuid binaries (bz
#21073)

    Florian Weimer pointed out that we have three different kinds of
    environment variables (and hence tunables):

    1. Variables that are removed for setxid processes
    2. Variables that are ignored in setxid processes but is passed on to
       child processes
    3. Variables that are passed on to child processes all the time

    Tunables currently only does (2) and (3) when it should be doing (1)
    for MALLOC_CHECK_.  This patch enhances the is_secure flag in tunables
    to an enum value that can specify which of the above three categories
    the tunable (and its envvar alias) belongs to.

    The default is for tunables to be in (1).  Hence, all of the malloc
    tunables barring MALLOC_CHECK_ are explicitly specified to belong to
    category (2).  There were discussions around abolishing category (2)
    completely but we can do that as a separate exercise in 2.26.

    Tested on x86_64 to verify that there are no regressions.

        [BZ #21073]
        * elf/dl-tunable-types.h (tunable_seclevel_t): New enum.
        * elf/dl-tunables.c (tunables_strdup): Remove.
        (get_next_env): Also return the previous envp.
        (parse_tunables): Erase tunables of category
        TUNABLES_SECLEVEL_SXID_ERASE.
        (maybe_enable_malloc_check): Make MALLOC_CHECK_
        TUNABLE_SECLEVEL_NONE if /etc/setuid-debug is accessible.
        (__tunables_init)[TUNABLES_FRONTEND ==
        TUNABLES_FRONTEND_valstring]: Update GLIBC_TUNABLES envvar
        after parsing.
        [TUNABLES_FRONTEND != TUNABLES_FRONTEND_valstring]: Erase
        tunable envvars of category TUNABLES_SECLEVEL_SXID_ERASE.
        * elf/dl-tunables.h (struct _tunable): Change member is_secure
        to security_level.
        * elf/dl-tunables.list: Add security_level annotations for all
        tunables.
        * scripts/gen-tunables.awk: Recognize and generate enum values
        for security_level.
        * elf/tst-env-setuid.c: New test case.
        * elf/tst-env-setuid-tunables: new test case.
        * elf/Makefile (tests-static): Add them.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   30 ++++
 elf/Makefile                                       |    6 +-
 elf/dl-tunable-types.h                             |   15 ++
 elf/dl-tunables.c                                  |  119 +++++++++++---
 elf/dl-tunables.h                                  |   15 +-
 elf/dl-tunables.list                               |   16 ++-
 elf/tst-env-setuid-tunables.c                      |   69 ++++++++
 stdlib/tst-secure-getenv.c => elf/tst-env-setuid.c |  176 ++++++++++++--------
 scripts/gen-tunables.awk                           |    8 +-
 sysdeps/generic/unsecvars.h                        |    7 +
 10 files changed, 358 insertions(+), 103 deletions(-)
 create mode 100644 elf/tst-env-setuid-tunables.c
 copy stdlib/tst-secure-getenv.c => elf/tst-env-setuid.c (64%)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]