Page MenuHomeFreeBSD
Differential D34074

rtld: restore abort for malformed environments while setuid
AbandonedPublic
Actions

Authored by kevans on Jan 28 2022, 5:56 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 1, 9:38 AM
Unknown Object (File)
Mar 31 2024, 11:39 AM
Unknown Object (File)
Mar 31 2024, 7:49 AM
Unknown Object (File)
Mar 3 2024, 4:32 AM
Unknown Object (File)
Dec 12 2023, 10:11 AM
Unknown Object (File)
Nov 18 2023, 3:29 PM
Unknown Object (File)
Nov 17 2023, 8:56 PM
Unknown Object (File)
Oct 14 2023, 2:02 PM
View All 12 Files
Subscribers
bdragon
imp

Details

Reviewers
emaste
kib
markj
cperciva
Summary

From 2009 up until bfd4c875a105 ("rtld: avoid use of of getenv(3) ..."),
rtld would abort if a malformed environment was observed in tainted
executions. The abort was added at the time because we wouldn't be able
to unset any of the sensitive env vars that we try to sanitize. This
has been rewritten such that that isn't an issue anymore, but a
malformed environment like this can be a good indicator that the caller
is trying to do something hinky; let's restore the previous behavior.

Discussed with: emaste

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 44135
Build 41023: arc lint + arc unit

Event Timeline

kevans created this revision.Jan 28 2022, 5:56 AM
Herald added subscribers: bdragon, imp. · View Herald TranscriptJan 28 2022, 5:56 AM
kevans requested review of this revision.Jan 28 2022, 5:56 AM
kevans added a reviewer: cperciva.Jan 28 2022, 5:56 AM
Harbormaster completed remote builds in B44135: Diff 102030.Jan 28 2022, 5:57 AM
kib added a comment.Jan 28 2022, 6:48 AM

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

kevans added a comment.Jan 28 2022, 10:42 PM
In D34074#770475, @kib wrote:

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

libc seems to go scorched earth after seeing this anyways: https://cgit.freebsd.org/src/tree/lib/libc/stdlib/getenv.c#n364

kevans abandoned this revision.Jan 28 2022, 10:42 PM
kib added a comment.Jan 28 2022, 11:08 PM
In D34074#770732, @kevans wrote:
In D34074#770475, @kib wrote:

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

libc seems to go scorched earth after seeing this anyways: https://cgit.freebsd.org/src/tree/lib/libc/stdlib/getenv.c#n364

So libc approach, as already implemented, is clearly superior:

  • it is done in the right way, i.e. process is not abruptly terminated, but an error is returned instead
  • it is handled both for static and dynamic binaries
  • all processes are protected, not only suid

Revision Contents
Changeset List

PathSize
libexec/
rtld-elf/
29 lines

Diff 102030

View Options

libexec/rtld-elf/rtld.c

Loading...