This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN

From: "thoger at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Mon, 11 Apr 2011 14:22:28 +0000
Subject: [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
Auto-submitted: auto-generated
References: <bug-12393-131@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=12393

--- Comment #1 from Tomas Hoger <thoger at redhat dot com> 2011-04-11 14:22:23 UTC ---
All mentioned cases now seem to be addressed in Andreas' fedora master git
branch.  Following seem to be the relevant commits:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=101fdc24
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=049b59f7

(In reply to comment #0)
> ld.so currently expands $ORIGIN in privileged programs' RPATH when $ORIGIN is
> listed alone (see _dl_dst_count and is_dst)

is_dst() was changed by the above patches to flag $ORIGIN as recognized DST
even when in __libc_enable_secure mode.  $ORIGIN is no longer expanded for
executables, but it is for libraries.

> $ORIGIN is not expanded if it's not the only thing in RPATH, e.g. in cases
> like $ORIGIN/../lib, as DL_DST_COUNT() returns 0 and
> expand_dynamic_string_token() uses strdup rather than _dl_dst_substitute()

As is_dst() no longer ignores $ORIGIN for privileged programs, DL_DST_COUNT()
does not return 0 any more and _dl_dst_substitute() is called.


Few comments regarding the applied changes:

- following comment in _dl_dst_substitute() is not completely correct:
    /* $ORIGIN is not expanded for SUID/GUID programs
       (except if it is $ORIGIN alone) and it must always
       appear first in path.  */
Expansion does not happen for SUID/SGID programs, but does for the libs they
use.

- following comment is bit misleading:
    /* Also skip following colon if this is the first rpath
       element, but keep an empty element at the end.  */
Colon is skipped if there was no output written to the result buffer yet, so it
may happen multiple times if multiple rpath elements are skipped (e.g.
$ORIGIN:$ORIGIN:/lib).

- is_dst() no longer uses start argument passed to it.  _dl_dst_count() only
uses start to pass it to is_dst().

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]