This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [Patch] Document __secure_getenv

From: Florian Weimer <fweimer at redhat dot com>
To: "Carlos O'Donell" <carlos_odonell at mentor dot com>
Cc: Roland McGrath <roland at hack dot frob dot com>, libc-alpha at sourceware dot org
Date: Thu, 12 Jul 2012 15:42:01 +0200
Subject: Re: [Patch] Document __secure_getenv
References: <4FFD81E6.6020202@redhat.com> <20120711134314.DB2432C095@topped-with-meat.com> <4FFD85F2.4030200@redhat.com> <4FFD9AE5.5040403@mentor.com> <4FFD9F4B.6080104@redhat.com> <4FFDA4A0.6000200@mentor.com>

On 07/11/2012 06:06 PM, Carlos O'Donell wrote:

On 7/11/2012 11:44 AM, Florian Weimer wrote:
I cannot use the new symbol because that would introduce a dependency on a new libc version.
Use <new name for __secure_getenv> if libc supports it,
otherwise keep using __secure_getenv.
After adding the new interface we can make __secure_getenv
hidden so no new programs can't be linked against it.

I'm trying to do this, but I can't get __secure_getenv exported, and the internal references do not use a GLIBC_PRIVATE symbol either.

I've attached my current attempt. (I know that I'll eventually have to update the abilist files.)

Is there a symbol which shared a similar fate? Then I could duplicate what was done back then.

--
Florian Weimer / Red Hat Product Security Team

2012-07-11  Florian Weimer  <fweimer@redhat.com>

	* manual/startup.texi (Environment Access): Document
          __secure_getenv.

diff --git a/manual/startup.texi b/manual/startup.texi
index 0420e93..73c6624 100644
--- a/manual/startup.texi
+++ b/manual/startup.texi
@@ -310,11 +310,15 @@ character, since this is assumed to terminate the string.
 
 The value of an environment variable can be accessed with the
 @code{getenv} function.  This is declared in the header file
-@file{stdlib.h}.  Modifications of enviroment variables are not
-allowed in Multi-threaded programs.  The @code{getenv} function
-can be safely used in multi-threaded programs
+@file{stdlib.h}.  
 @pindex stdlib.h
 
+Libraries should use @code{__secure_getenv} instead of @code{getenv},
+so that they do not accidentally use entrusted environment variables.
+Modifications of environment variables are not allowed in
+multi-threaded programs.  The @code{getenv} function can be safely
+used in multi-threaded programs.
+
 @comment stdlib.h
 @comment ISO
 @deftypefun {char *} getenv (const char *@var{name})
@@ -326,6 +330,18 @@ environment variable @var{name} is not defined, the value is a null
 pointer.
 @end deftypefun
 
+@comment stdlib.h
+@comment GNU
+@deftypefun {char *} __secure_getenv (const char *@var{name})
+This function is similar to @code{getenv}, but it returns a null
+pointer if the environment is untrusted.  This happens when the
+program file has SUID or SGID bits set.  General-purpose libraries
+should always prefer this function over @code{getenv}, to avoid
+vulnerabilities if the library is referenced from a SUID/SGID program.
+
+This function is a GNU extension.
+@end deftypefun
+
 
 @comment stdlib.h
 @comment SVID

Follow-Ups:
- Re: [Patch] Document __secure_getenv
  - From: Chris Metcalf
- Re: [Patch] Document __secure_getenv
  - From: Siddhesh Poyarekar

References:
- [Patch] Document __secure_getenv
  - From: Florian Weimer
- Re: [Patch] Document __secure_getenv
  - From: Roland McGrath
- Re: [Patch] Document __secure_getenv
  - From: Florian Weimer
- Re: [Patch] Document __secure_getenv
  - From: Carlos O'Donell
- Re: [Patch] Document __secure_getenv
  - From: Florian Weimer
- Re: [Patch] Document __secure_getenv
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]