[2/2] Drop GLIBC_TUNABLES for setxid programs when tunables is disabled
Commit Message
A setxid program that uses a glibc with tunables disabled may pass on
GLIBC_TUNABLES as is to its child processes. If the child process
ends up using a different glibc that has tunables enabled, it will end
up getting access to unsafe tunables. To fix this, remove
GLIBC_TUNABLES from the environment for setxid process.
* sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
* elf/tst-env-setuid-tunables.c
(test_child_tunables)[!HAVE_TUNABLES]: Verify that
GLIBC_TUNABLES is removed in a setgid process.
---
elf/tst-env-setuid-tunables.c | 9 +++++++++
sysdeps/generic/unsecvars.h | 7 +++++++
2 files changed, 16 insertions(+)
Comments
On 02/01/2017 12:37 PM, Siddhesh Poyarekar wrote:
> * sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
> * elf/tst-env-setuid-tunables.c
> (test_child_tunables)[!HAVE_TUNABLES]: Verify that
> GLIBC_TUNABLES is removed in a setgid process.
Looks reasonable. Thanks.
Florian
@@ -36,6 +36,7 @@ test_child_tunables (void)
{
const char *val = getenv ("GLIBC_TUNABLES");
+#if HAVE_TUNABLES
if (val != NULL && strcmp (val, CHILD_VALSTRING_VALUE) == 0)
return 0;
@@ -43,6 +44,14 @@ test_child_tunables (void)
printf ("Unexpected GLIBC_TUNABLES VALUE %s\n", val);
return 1;
+#else
+ if (val != NULL)
+ {
+ printf ("GLIBC_TUNABLES not cleared\n");
+ return 1;
+ }
+ return 0;
+#endif
}
static int
@@ -1,9 +1,16 @@
+#if !HAVE_TUNABLES
+# define GLIBC_TUNABLES_ENVVAR "GLIBC_TUNABLES\0"
+#else
+# define GLIBC_TUNABLES_ENVVAR
+#endif
+
/* Environment variable to be removed for SUID programs. The names are
all stuffed in a single string which means they have to be terminated
with a '\0' explicitly. */
#define UNSECURE_ENVVARS \
"GCONV_PATH\0" \
"GETCONF_DIR\0" \
+ GLIBC_TUNABLES_ENVVAR \
"HOSTALIASES\0" \
"LD_AUDIT\0" \
"LD_DEBUG\0" \