This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/21073] New: tunables: insecure environment variables passed to subprocesses with AT_SECURE
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 23 Jan 2017 10:22:58 +0000
- Subject: [Bug libc/21073] New: tunables: insecure environment variables passed to subprocesses with AT_SECURE
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=21073
Bug ID: 21073
Summary: tunables: insecure environment variables passed to
subprocesses with AT_SECURE
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security+
Without tunables, MALLOC_CHECK_ is stripped from the environment, so that it is
not accidentally passed to subprocesses. (The intent is that subprocesses do
not inadvertently pick up malicious environment settings.)
This does no longer happen if tunables are enabled. Similarly, the
GLIBC_TUNABLES variable is not rewritten to drop the equivalent option, either.
To reproduce this, I created a small test program and made it SUID root:
#include <stdlib.h>
#include <unistd.h>
int
main (void)
{
setuid (0);
system ("env");
}
Running it as an ordinary user should result in no output:
GLIBC_TUNABLES=glibc.malloc.check=0 LD_DEBUG=files MALLOC_CHECK_=0 ./a.out \
| egrep '^(LD|MALLOC|GLIBC)_'
But I get this output:
MALLOC_CHECK_=0
GLIBC_TUNABLES=glibc.malloc.check=0
(Without tunables support, the GLIBC_TUNABLES variable may still be printed.)
--
You are receiving this mail because:
You are on the CC list for the bug.