From patchwork Wed Feb 1 11:37:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 19078 Received: (qmail 73001 invoked by alias); 1 Feb 2017 11:38:18 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 72946 invoked by uid 89); 1 Feb 2017 11:38:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.8 required=5.0 tests=AWL, BAYES_50, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_NEUTRAL autolearn=no version=3.3.2 spammy=stuffed, have_tunables, hostaliases, GCONV_PATH X-HELO: homiemail-a69.g.dreamhost.com From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: fweimer@redhat.com Subject: [PATCH 2/2] Drop GLIBC_TUNABLES for setxid programs when tunables is disabled Date: Wed, 1 Feb 2017 17:07:58 +0530 Message-Id: <1485949078-30635-3-git-send-email-siddhesh@sourceware.org> In-Reply-To: <1485949078-30635-1-git-send-email-siddhesh@sourceware.org> References: <1485949078-30635-1-git-send-email-siddhesh@sourceware.org> A setxid program that uses a glibc with tunables disabled may pass on GLIBC_TUNABLES as is to its child processes. If the child process ends up using a different glibc that has tunables enabled, it will end up getting access to unsafe tunables. To fix this, remove GLIBC_TUNABLES from the environment for setxid process. * sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES. * elf/tst-env-setuid-tunables.c (test_child_tunables)[!HAVE_TUNABLES]: Verify that GLIBC_TUNABLES is removed in a setgid process. --- elf/tst-env-setuid-tunables.c | 9 +++++++++ sysdeps/generic/unsecvars.h | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index a563f69..a5f0a81 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -36,6 +36,7 @@ test_child_tunables (void) { const char *val = getenv ("GLIBC_TUNABLES"); +#if HAVE_TUNABLES if (val != NULL && strcmp (val, CHILD_VALSTRING_VALUE) == 0) return 0; @@ -43,6 +44,14 @@ test_child_tunables (void) printf ("Unexpected GLIBC_TUNABLES VALUE %s\n", val); return 1; +#else + if (val != NULL) + { + printf ("GLIBC_TUNABLES not cleared\n"); + return 1; + } + return 0; +#endif } static int diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h index d5b8119..a740837 100644 --- a/sysdeps/generic/unsecvars.h +++ b/sysdeps/generic/unsecvars.h @@ -1,9 +1,16 @@ +#if !HAVE_TUNABLES +# define GLIBC_TUNABLES_ENVVAR "GLIBC_TUNABLES\0" +#else +# define GLIBC_TUNABLES_ENVVAR +#endif + /* Environment variable to be removed for SUID programs. The names are all stuffed in a single string which means they have to be terminated with a '\0' explicitly. */ #define UNSECURE_ENVVARS \ "GCONV_PATH\0" \ "GETCONF_DIR\0" \ + GLIBC_TUNABLES_ENVVAR \ "HOSTALIASES\0" \ "LD_AUDIT\0" \ "LD_DEBUG\0" \