This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Declare set*id with warn_unused_result

On 07/24/2012 03:31 PM, Paul Eggert wrote:
On 07/24/2012 06:07 AM, Florian Weimer wrote: 
The set*uid kernel changes have not been backported widely,
and software has to run correctly on such kernels


But typically there is no reasonable way to run correctly on
such kernels, right?  For example, a library function might invoke
seteuid to temporarily change the EUID, and invoke seteuid again to
change it back.  If the latter call fails, there's nothing
the function can do.

It could (and probably should) call abort because something has gone horribly wrong.

If this proposed change were installed, it's
plausible that an application developer wouldn't notice this
sort of issue, and would introduce further security bugs
in an attempt to pacify GCC.

Which issue? Currently, the application keeps running with an unexpected UID, and this has led to privilege escalation vulnerabilities. I don't see how encouraging the programmer to add checks could make things any worse.

Users with unfixed kernels will have the problem regardless
of the proposed change, since they'll almost invariably be
using unfixed apps as well.

We fix applications which do not check the results of set*id calls when we come across them. The patch intends to help with this.

I forgot to mention that even current kernels code can return ENOMEM, it is just harder to hit.

--
Florian Weimer / Red Hat Product Security Team


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]