This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- From: "thoger at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Mon, 11 Apr 2011 14:22:28 +0000
- Subject: [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- Auto-submitted: auto-generated
- References: <bug-12393-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #1 from Tomas Hoger <thoger at redhat dot com> 2011-04-11 14:22:23 UTC ---
All mentioned cases now seem to be addressed in Andreas' fedora master git
branch. Following seem to be the relevant commits:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=101fdc24
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=049b59f7
(In reply to comment #0)
> ld.so currently expands $ORIGIN in privileged programs' RPATH when $ORIGIN is
> listed alone (see _dl_dst_count and is_dst)
is_dst() was changed by the above patches to flag $ORIGIN as recognized DST
even when in __libc_enable_secure mode. $ORIGIN is no longer expanded for
executables, but it is for libraries.
> $ORIGIN is not expanded if it's not the only thing in RPATH, e.g. in cases
> like $ORIGIN/../lib, as DL_DST_COUNT() returns 0 and
> expand_dynamic_string_token() uses strdup rather than _dl_dst_substitute()
As is_dst() no longer ignores $ORIGIN for privileged programs, DL_DST_COUNT()
does not return 0 any more and _dl_dst_substitute() is called.
Few comments regarding the applied changes:
- following comment in _dl_dst_substitute() is not completely correct:
/* $ORIGIN is not expanded for SUID/GUID programs
(except if it is $ORIGIN alone) and it must always
appear first in path. */
Expansion does not happen for SUID/SGID programs, but does for the libs they
use.
- following comment is bit misleading:
/* Also skip following colon if this is the first rpath
element, but keep an empty element at the end. */
Colon is skipped if there was no output written to the result buffer yet, so it
may happen multiple times if multiple rpath elements are skipped (e.g.
$ORIGIN:$ORIGIN:/lib).
- is_dst() no longer uses start argument passed to it. _dl_dst_count() only
uses start to pass it to is_dst().
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.