From: Solar Designer <solar@openwall.com>
To: musl@lists.openwall.com
Subject: env vars in SUID/SGID programs (was: LD_PRELOAD and RTLD_NEXT support)
Date: Mon, 22 Aug 2011 21:02:06 +0400 [thread overview]
Message-ID: <20110822170206.GA16412@openwall.com> (raw)
In-Reply-To: <20110816124600.GA15681@albatros>
Rich, Vasiliy -
On Tue, Aug 16, 2011 at 04:46:00PM +0400, Vasiliy Kulikov wrote:
> ...btw, I feel it would be cleaner if you check for untrusted environment
> at the time of initializing env_* variables. Currently there is not
> much code between env_X assignment and zeroing, but it might be in the
> future (with addition of ld features, etc.).
>
> for (p = argv+i; ... ) {
> if (is_secure_env)
> env_path = ...
I just took a look at recent musl, and I don't see any safety from env
vars used elsewhere in musl.
If a SUID/SGID program uses execvp(3), what do we want to happen?
Also, for env vars that musl ignores because of SUID/SGID'ness of the
current program, shouldn't it also unset them? This is what we're doing
in glibc on Owl, because of sudo-like programs (where another program is
invoked next - still privileged, but no longer detected as such by libc).
I think these potential precautions I am talking about above should
apply for both static and dynamic binaries. That is, they should be in
musl's program startup code that is used in both cases.
What do you think?
Alexander
next prev parent reply other threads:[~2011-08-22 17:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-16 5:17 LD_PRELOAD and RTLD_NEXT support Rich Felker
2011-08-16 6:34 ` Vasiliy Kulikov
2011-08-16 11:47 ` Rich Felker
2011-08-16 12:46 ` Vasiliy Kulikov
2011-08-16 12:59 ` Rich Felker
2011-08-22 17:02 ` Solar Designer [this message]
2011-08-22 18:13 ` env vars in SUID/SGID programs (was: LD_PRELOAD and RTLD_NEXT support) Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110822170206.GA16412@openwall.com \
--to=solar@openwall.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).