| Summary: | stable glibc completely filters LD_PRELOAD for setuid/setgid binaries | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Richard Fish <bigfish> |
| Component: | [OLD] Library | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | normal | CC: | stian |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
*** Bug 86848 has been marked as a duplicate of this bug. *** isn't LD_PRELOAD seen as a security problem for setuid/setgid programs in general? Yes, which is why the glibc provided by gnu: 1. requires any LD_PRELOAD libraries for a setuid/setgid executable also be marked setuid/setgid, the assumption being that the administrator knows whether a particular library is safe or not. 2. filters LD_PRELOAD from the environment after performing the resolution, so that no child processes spawned by the setuid/setgid program inherit this setting. The program must reset LD_PRELOAD if necessary...as you can see from my strace example. we're pushing glibc-2.3.5 which should be OK if you want, post an updated glibc-sec-hotfix-20040916.patch and i'll merge it, otherwise i'll just leave this as resolved |
In addition to fixing an LD_DEBUG vulnerability (GLSA 200408-16), glibc-sec-hotfix-20040916.patch moves the cleansing of the LD_ environment to before the environment is saved for the current process. This disables LD_PRELOAD for all setuid/setgid binaries. This part of the patch did not make it into the glibc CVS repository, and does not appear in glibc-20050125-r1. Reproducible: Always Steps to Reproduce: > sudo chmod 4444 /lib/libz.so > sudo chmod 4755 /usr/bin/strace > /usr/bin/strace -e open -E LD_PRELOAD=libz.so /bin/login 2>&1 | grep libz Actual Results: With glibc versions before 2.3.4.20050125, libz.so will not be loaded by /bin/login.