diff mbox series

[v2,01/19] elf: Remove /etc/suid-debug support

Message ID	20231017130526.2216827-2-adhemerval.zanella@linaro.org
State	Superseded
Delegated to:	Siddhesh Poyarekar
Headers	DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 56A483858410 From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: libc-alpha@sourceware.org, Siddhesh Poyarekar <siddhesh@sourceware.org> Subject: [PATCH v2 01/19] elf: Remove /etc/suid-debug support Date: Tue, 17 Oct 2023 10:05:08 -0300 Message-Id: <20231017130526.2216827-2-adhemerval.zanella@linaro.org> In-Reply-To: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> References: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Series	Improve loader environment variable handling \| [v2,00/19] Improve loader environment variable handling [v2,01/19] elf: Remove /etc/suid-debug support [v2,02/19] elf: Add GLIBC_TUNABLES to unsecvars [v2,03/19] elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries [v2,04/19] elf: Add all malloc tunable to unsecvars [v2,05/19] elf: Do not process invalid tunable format [v2,06/19] elf: Do not parse ill-formatted strings [v2,07/19] elf: Fix _dl_debug_vdprintf to work before self-relocation [v2,08/19] elf: Emit warning if tunable is ill-formatted [v2,09/19] x86: Use dl-symbol-redir-ifunc.h on cpu-tunables [v2,10/19] s390: Use dl-symbol-redir-ifunc.h on cpu-tunables [v2,11/19] elf: Do not duplicate the GLIBC_TUNABLES string [v2,12/19] elf: Ignore LD_PROFILE for setuid binaries [v2,13/19] elf: Remove LD_PROFILE for static binaries [v2,14/19] elf: Ignore loader debug env vars for setuid [v2,15/19] elf: Remove any_debug from dl_main_state [v2,16/19] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static [v2,17/19] elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secure [v2,18/19] elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries [v2,19/19] elf: Refactor process_envvars

Checks

Context	Check	Description
redhat-pt-bot/TryBot-apply_patch	success	Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm	success	Testing passed

Commit Message

Adhemerval Zanella Netto Oct. 17, 2023, 1:05 p.m. UTC

  Since malloc debug support moved to a different library
(libc_malloc_debug.so), the glibc.malloc.check requires preloading the
debug library to enable it.  It means that suid-debug support has not
been working since 2.34.

To restore its support, it would require to add additional information
and parsing to where to find libc_malloc_debug.so.

It is one thing less that might change AT_SECURE binaries' behavior
due to environment configurations.

Checked on x86_64-linux-gnu.
---
 elf/dl-tunables.c    | 16 ----------------
 elf/rtld.c           |  3 +--
 manual/memory.texi   |  4 +---
 manual/tunables.texi |  4 +---
 4 files changed, 3 insertions(+), 24 deletions(-)

Comments

Siddhesh Poyarekar Oct. 18, 2023, 12:31 p.m. UTC | #1

On 2023-10-17 09:05, Adhemerval Zanella wrote:
> Since malloc debug support moved to a different library
> (libc_malloc_debug.so), the glibc.malloc.check requires preloading the
> debug library to enable it.  It means that suid-debug support has not
> been working since 2.34.
> 
> To restore its support, it would require to add additional information
> and parsing to where to find libc_malloc_debug.so.

Could you elaborate slightly in the commit message, like so:

   To restore its support, we would require to add additional information
   and parsing to locate libc_malloc_debug.so, which is not worth the
   additional risk it might pose.

LGTM.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

> 
> It is one thing less that might change AT_SECURE binaries' behavior
> due to environment configurations.
> 
> Checked on x86_64-linux-gnu.
> ---
>   elf/dl-tunables.c    | 16 ----------------
>   elf/rtld.c           |  3 +--
>   manual/memory.texi   |  4 +---
>   manual/tunables.texi |  4 +---
>   4 files changed, 3 insertions(+), 24 deletions(-)
> 
> diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> index cae67efa0a..24252af22c 100644
> --- a/elf/dl-tunables.c
> +++ b/elf/dl-tunables.c
> @@ -252,20 +252,6 @@ parse_tunables (char *tunestr, char *valstring)
>       tunestr[off] = '\0';
>   }
>   
> -/* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
> -   the system administrator has created the /etc/suid-debug file.  This is a
> -   special case where we want to conditionally enable/disable a tunable even
> -   for setuid binaries.  We use the special version of access() to avoid
> -   setting ERRNO, which is a TLS variable since TLS has not yet been set
> -   up.  */
> -static __always_inline void
> -maybe_enable_malloc_check (void)
> -{
> -  tunable_id_t id = TUNABLE_ENUM_NAME (glibc, malloc, check);
> -  if (__libc_enable_secure && __access_noerrno ("/etc/suid-debug", F_OK) == 0)
> -    tunable_list[id].security_level = TUNABLE_SECLEVEL_NONE;
> -}
> -

Dropped function.  OK.

>   /* Initialize the tunables list from the environment.  For now we only use the
>      ENV_ALIAS to find values.  Later we will also use the tunable names to find
>      values.  */
> @@ -277,8 +263,6 @@ __tunables_init (char **envp)
>     size_t len = 0;
>     char **prev_envp = envp;
>   
> -  maybe_enable_malloc_check ();
> -

Drop malloc checking.  OK.  Current testsuite run should cover any 
possible regressions from this and it's clean so we're good.

>     while ((envp = get_next_env (envp, &envname, &len, &envval,
>   			       &prev_envp)) != NULL)
>       {
> diff --git a/elf/rtld.c b/elf/rtld.c
> index 5107d16fe3..51b6d9f326 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -2670,8 +2670,7 @@ process_envvars (struct dl_main_state *state)
>   	}
>         while (*nextp != '\0');
>   
> -      if (__access ("/etc/suid-debug", F_OK) != 0)
> -	GLRO(dl_debug_mask) = 0;
> +      GLRO(dl_debug_mask) = 0;

Unconditionally set dl_debug_mask.  OK.

>   
>         if (state->mode != rtld_mode_normal)
>   	_exit (5);
> diff --git a/manual/memory.texi b/manual/memory.texi
> index 5781a64f35..258fdbd3a0 100644
> --- a/manual/memory.texi
> +++ b/manual/memory.texi
> @@ -1379,9 +1379,7 @@ There is one problem with @code{MALLOC_CHECK_}: in SUID or SGID binaries
>   it could possibly be exploited since diverging from the normal programs
>   behavior it now writes something to the standard error descriptor.
>   Therefore the use of @code{MALLOC_CHECK_} is disabled by default for
> -SUID and SGID binaries.  It can be enabled again by the system
> -administrator by adding a file @file{/etc/suid-debug} (the content is
> -not important it could be empty).
> +SUID and SGID binaries.
>   
>   So, what's the difference between using @code{MALLOC_CHECK_} and linking
>   with @samp{-lmcheck}?  @code{MALLOC_CHECK_} is orthogonal with respect to
> diff --git a/manual/tunables.texi b/manual/tunables.texi
> index 776fd93fd9..347b5698b5 100644
> --- a/manual/tunables.texi
> +++ b/manual/tunables.texi
> @@ -136,9 +136,7 @@ termination of the process.
>   Like @env{MALLOC_CHECK_}, @code{glibc.malloc.check} has a problem in that it
>   diverges from normal program behavior by writing to @code{stderr}, which could
>   by exploited in SUID and SGID binaries.  Therefore, @code{glibc.malloc.check}
> -is disabled by default for SUID and SGID binaries.  This can be enabled again
> -by the system administrator by adding a file @file{/etc/suid-debug}; the
> -content of the file could be anything or even empty.
> +is disabled by default for SUID and SGID binaries.
>   @end deftp
>   
>   @deftp Tunable glibc.malloc.top_pad

Manual updates.  OK.

Thanks,
Sid

Adhemerval Zanella Netto Oct. 18, 2023, 6:27 p.m. UTC | #2

On 18/10/23 09:31, Siddhesh Poyarekar wrote:
> On 2023-10-17 09:05, Adhemerval Zanella wrote:
>> Since malloc debug support moved to a different library
>> (libc_malloc_debug.so), the glibc.malloc.check requires preloading the
>> debug library to enable it.  It means that suid-debug support has not
>> been working since 2.34.
>>
>> To restore its support, it would require to add additional information
>> and parsing to where to find libc_malloc_debug.so.
> 
> Could you elaborate slightly in the commit message, like so:
> 
>   To restore its support, we would require to add additional information
>   and parsing to locate libc_malloc_debug.so, which is not worth the
>   additional risk it might pose.

Ack.

> 
> LGTM.
> 
> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

diff mbox series

Patch

diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index cae67efa0a..24252af22c 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -252,20 +252,6 @@  parse_tunables (char *tunestr, char *valstring)
     tunestr[off] = '\0';
 }
 
-/* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
-   the system administrator has created the /etc/suid-debug file.  This is a
-   special case where we want to conditionally enable/disable a tunable even
-   for setuid binaries.  We use the special version of access() to avoid
-   setting ERRNO, which is a TLS variable since TLS has not yet been set
-   up.  */
-static __always_inline void
-maybe_enable_malloc_check (void)
-{
-  tunable_id_t id = TUNABLE_ENUM_NAME (glibc, malloc, check);
-  if (__libc_enable_secure && __access_noerrno ("/etc/suid-debug", F_OK) == 0)
-    tunable_list[id].security_level = TUNABLE_SECLEVEL_NONE;
-}
-
 /* Initialize the tunables list from the environment.  For now we only use the
    ENV_ALIAS to find values.  Later we will also use the tunable names to find
    values.  */
@@ -277,8 +263,6 @@  __tunables_init (char **envp)
   size_t len = 0;
   char **prev_envp = envp;
 
-  maybe_enable_malloc_check ();
-
   while ((envp = get_next_env (envp, &envname, &len, &envval,
 			       &prev_envp)) != NULL)
     {
diff --git a/elf/rtld.c b/elf/rtld.c
index 5107d16fe3..51b6d9f326 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2670,8 +2670,7 @@  process_envvars (struct dl_main_state *state)
 	}
       while (*nextp != '\0');
 
-      if (__access ("/etc/suid-debug", F_OK) != 0)
-	GLRO(dl_debug_mask) = 0;
+      GLRO(dl_debug_mask) = 0;
 
       if (state->mode != rtld_mode_normal)
 	_exit (5);
diff --git a/manual/memory.texi b/manual/memory.texi
index 5781a64f35..258fdbd3a0 100644
--- a/manual/memory.texi
+++ b/manual/memory.texi
@@ -1379,9 +1379,7 @@  There is one problem with @code{MALLOC_CHECK_}: in SUID or SGID binaries
 it could possibly be exploited since diverging from the normal programs
 behavior it now writes something to the standard error descriptor.
 Therefore the use of @code{MALLOC_CHECK_} is disabled by default for
-SUID and SGID binaries.  It can be enabled again by the system
-administrator by adding a file @file{/etc/suid-debug} (the content is
-not important it could be empty).
+SUID and SGID binaries.
 
 So, what's the difference between using @code{MALLOC_CHECK_} and linking
 with @samp{-lmcheck}?  @code{MALLOC_CHECK_} is orthogonal with respect to
diff --git a/manual/tunables.texi b/manual/tunables.texi
index 776fd93fd9..347b5698b5 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -136,9 +136,7 @@  termination of the process.
 Like @env{MALLOC_CHECK_}, @code{glibc.malloc.check} has a problem in that it
 diverges from normal program behavior by writing to @code{stderr}, which could
 by exploited in SUID and SGID binaries.  Therefore, @code{glibc.malloc.check}
-is disabled by default for SUID and SGID binaries.  This can be enabled again
-by the system administrator by adding a file @file{/etc/suid-debug}; the
-content of the file could be anything or even empty.
+is disabled by default for SUID and SGID binaries.
 @end deftp
 
 @deftp Tunable glibc.malloc.top_pad