This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: [PATCH] Fix UNSEC_ENVVARS (was Re: [patch] res_conf.h missing security feature)

To: Ulrich Drepper <drepper at cygnus dot com>
Subject: Re: [PATCH] Fix UNSEC_ENVVARS (was Re: [patch] res_conf.h missing security feature)
From: Jakub Jelinek <jakub at redhat dot com>
Date: Mon, 8 Jan 2001 19:04:17 +0100
Cc: Glibc hackers <libc-hacker at sources dot redhat dot com>
References: <20010108102637.D4659@visi.net> <20010108174653.D525@sunsite.ms.mff.cuni.cz> <m38zom53ts.fsf@otr.mynet.cygnus.com>
Reply-To: Jakub Jelinek <jakub at redhat dot com>

On Mon, Jan 08, 2001 at 09:52:31AM -0800, Ulrich Drepper wrote:
> > --- libc/sysdeps/generic/unsecvars.h.jj	Tue Sep 26 11:31:25 2000
> > +++ libc/sysdeps/generic/unsecvars.h	Mon Jan  8 17:59:29 2001
> > @@ -4,8 +4,9 @@
> >    "LOCALDOMAIN",							      \
> >    "LOCPATH",								      \
> >    "MALLOC_TRACE",							      \
> > +  "MEMUSAGE_OUTPUT",							      \
> 
> This is no variable used in the libc proper.

I'm not sure your memusage.c fix is correct though:

      const char *outname = getenv ("MEMUSAGE_OUTPUT");
      if (outname != NULL && outname[0] != '\0'
          && access (outname, R_OK | W_OK) == 0)
        {
          fd = creat (outname, 0666);

this will mean you won't be able to create a new file in a directory you
have permissions to. I believe __secure_getenv here would be better (and as
you can only LD_PRELOAD libmemusage.so and LD_PRELOAD goes away if
__libc_enable_secure, execed processes from the SUID/SGID won't be using
libmemusage.so and thus will be safe).

> > --- libc/sysdeps/generic/segfault.c.jj	Wed Aug  2 21:36:33 2000
> > +++ libc/sysdeps/generic/segfault.c	Mon Jan  8 14:14:55 2001
> > @@ -185,6 +185,9 @@ install_handler (void)
> >    const char *sigs = getenv ("SEGFAULT_SIGNALS");
> >    const char *name;
> >  
> > +  if (__libc_enable_secure)
> > +    return;
> > +
> 
> Why?  I can agree to add an __access() call to check the output file
> name but it should not be disabled altogether.

The issue I had in mind is that if some SUID/SGID application crashes, you
could that way reveal some of its state at crash time (e.g. could contain
secret information in the registers etc. at that time).
Alternatively, this could be
  if (__libc_enable_secure && __access ("/etc/suid-debug", F_OK) != 0)
    return;
like rtld.c does already.

	Jakub

References:
- [PATCH] Fix UNSEC_ENVVARS (was Re: [patch] res_conf.h missing security feature)
  - From: Jakub Jelinek
- Re: [PATCH] Fix UNSEC_ENVVARS (was Re: [patch] res_conf.h missing security feature)
  - From: Ulrich Drepper

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]