This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/21073] tunables: insecure environment variables passed to subprocesses with AT_SECURE
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 02 Feb 2017 10:41:51 +0000
- Subject: [Bug libc/21073] tunables: insecure environment variables passed to subprocesses with AT_SECURE
- Auto-submitted: auto-generated
- References: <bug-21073-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=21073
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via ed8d5ffd0a14e84298a15ae2ec9b799010166b28 (commit)
via 8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12 (commit)
from 9c8e64485360d08d95884bddc0958cf3a5ca9c5c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ed8d5ffd0a14e84298a15ae2ec9b799010166b28
commit ed8d5ffd0a14e84298a15ae2ec9b799010166b28
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Thu Feb 2 15:48:06 2017 +0530
Drop GLIBC_TUNABLES for setxid programs when tunables is disabled (bz
#21073)
A setxid program that uses a glibc with tunables disabled may pass on
GLIBC_TUNABLES as is to its child processes. If the child process
ends up using a different glibc that has tunables enabled, it will end
up getting access to unsafe tunables. To fix this, remove
GLIBC_TUNABLES from the environment for setxid process.
* sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
* elf/tst-env-setuid-tunables.c
(test_child_tunables)[!HAVE_TUNABLES]: Verify that
GLIBC_TUNABLES is removed in a setgid process.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12
commit 8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Thu Feb 2 15:46:01 2017 +0530
tunables: Fix environment variable processing for setuid binaries (bz
#21073)
Florian Weimer pointed out that we have three different kinds of
environment variables (and hence tunables):
1. Variables that are removed for setxid processes
2. Variables that are ignored in setxid processes but is passed on to
child processes
3. Variables that are passed on to child processes all the time
Tunables currently only does (2) and (3) when it should be doing (1)
for MALLOC_CHECK_. This patch enhances the is_secure flag in tunables
to an enum value that can specify which of the above three categories
the tunable (and its envvar alias) belongs to.
The default is for tunables to be in (1). Hence, all of the malloc
tunables barring MALLOC_CHECK_ are explicitly specified to belong to
category (2). There were discussions around abolishing category (2)
completely but we can do that as a separate exercise in 2.26.
Tested on x86_64 to verify that there are no regressions.
[BZ #21073]
* elf/dl-tunable-types.h (tunable_seclevel_t): New enum.
* elf/dl-tunables.c (tunables_strdup): Remove.
(get_next_env): Also return the previous envp.
(parse_tunables): Erase tunables of category
TUNABLES_SECLEVEL_SXID_ERASE.
(maybe_enable_malloc_check): Make MALLOC_CHECK_
TUNABLE_SECLEVEL_NONE if /etc/setuid-debug is accessible.
(__tunables_init)[TUNABLES_FRONTEND ==
TUNABLES_FRONTEND_valstring]: Update GLIBC_TUNABLES envvar
after parsing.
[TUNABLES_FRONTEND != TUNABLES_FRONTEND_valstring]: Erase
tunable envvars of category TUNABLES_SECLEVEL_SXID_ERASE.
* elf/dl-tunables.h (struct _tunable): Change member is_secure
to security_level.
* elf/dl-tunables.list: Add security_level annotations for all
tunables.
* scripts/gen-tunables.awk: Recognize and generate enum values
for security_level.
* elf/tst-env-setuid.c: New test case.
* elf/tst-env-setuid-tunables: new test case.
* elf/Makefile (tests-static): Add them.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 30 ++++
elf/Makefile | 6 +-
elf/dl-tunable-types.h | 15 ++
elf/dl-tunables.c | 119 +++++++++++---
elf/dl-tunables.h | 15 +-
elf/dl-tunables.list | 16 ++-
elf/tst-env-setuid-tunables.c | 69 ++++++++
stdlib/tst-secure-getenv.c => elf/tst-env-setuid.c | 176 ++++++++++++--------
scripts/gen-tunables.awk | 8 +-
sysdeps/generic/unsecvars.h | 7 +
10 files changed, 358 insertions(+), 103 deletions(-)
create mode 100644 elf/tst-env-setuid-tunables.c
copy stdlib/tst-secure-getenv.c => elf/tst-env-setuid.c (64%)
--
You are receiving this mail because:
You are on the CC list for the bug.