diff options
author | csjp <csjp@FreeBSD.org> | 2007-05-17 18:00:27 +0000 |
---|---|---|
committer | csjp <csjp@FreeBSD.org> | 2007-05-17 18:00:27 +0000 |
commit | 9c7934b018b6822bc955874e98ef8274306df4b2 (patch) | |
tree | 5f85f72d9fcaa91dfab267321f002677b17883e0 /libexec | |
parent | 95bf1ef490be6f898f480348aadc72480bb7a0cd (diff) | |
download | FreeBSD-src-9c7934b018b6822bc955874e98ef8274306df4b2.zip FreeBSD-src-9c7934b018b6822bc955874e98ef8274306df4b2.tar.gz |
In the event a process is tainted (setuid/setgid binaries), un-set any
potentially dangerous environment variables all together. It should be
noted that the run-time linker will not honnor these environment variables
if the process is tainted currently. However, once a child of the tainted
process calls setuid(2), it's status as being tainted (as defined by
issetugid(2)) will be removed. This could be problematic because
subsequent activations of the run-time linker could honnor these
dangerous variables.
This is more of an anti foot-shot mechanism, there is nothing I am
aware of in base that does this, however there may be third party
utilities which do, and there is no real negative impact of clearing
these environment variables.
Discussed on: secteam
Reviewed by: cperciva
PR: kern/109836
MFC after: 2 weeks
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/rtld-elf/rtld.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c index 034c8ed..395079f 100644 --- a/libexec/rtld-elf/rtld.c +++ b/libexec/rtld-elf/rtld.c @@ -351,16 +351,26 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp) trust = !issetugid(); ld_bind_now = getenv(LD_ "BIND_NOW"); - if (trust) { - ld_debug = getenv(LD_ "DEBUG"); - libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL; - libmap_override = getenv(LD_ "LIBMAP"); - ld_library_path = getenv(LD_ "LIBRARY_PATH"); - ld_preload = getenv(LD_ "PRELOAD"); - dangerous_ld_env = libmap_disable || (libmap_override != NULL) || - (ld_library_path != NULL) || (ld_preload != NULL); - } else - dangerous_ld_env = 0; + /* + * If the process is tainted, then we un-set the dangerous environment + * variables. The process will be marked as tainted until setuid(2) + * is called. If any child process calls setuid(2) we do not want any + * future processes to honor the potentially un-safe variables. + */ + if (!trust) { + unsetenv(LD_ "PRELOAD"); + unsetenv(LD_ "LIBMAP"); + unsetenv(LD_ "LIBRARY_PATH"); + unsetenv(LD_ "LIBMAP_DISABLE"); + unsetenv(LD_ "DEBUG"); + } + ld_debug = getenv(LD_ "DEBUG"); + libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL; + libmap_override = getenv(LD_ "LIBMAP"); + ld_library_path = getenv(LD_ "LIBRARY_PATH"); + ld_preload = getenv(LD_ "PRELOAD"); + dangerous_ld_env = libmap_disable || (libmap_override != NULL) || + (ld_library_path != NULL) || (ld_preload != NULL); ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS"); ld_utrace = getenv(LD_ "UTRACE"); |