* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
@ 2014-06-29 7:40 ` schwab@linux-m68k.org
2014-06-29 11:55 ` joseph at codesourcery dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: schwab@linux-m68k.org @ 2014-06-29 7:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
__libc_enable_secure is computed by the libc initializer before any application
code is run. No multi threading, no setuid/setgid calls.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
2014-06-29 7:40 ` [Bug libc/17100] " schwab@linux-m68k.org
@ 2014-06-29 11:55 ` joseph at codesourcery dot com
2014-06-29 12:17 ` fweimer at redhat dot com
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: joseph at codesourcery dot com @ 2014-06-29 11:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
On Sun, 29 Jun 2014, busterb at gmail dot com wrote:
> contexts, among other issues. I think that future glibc versions should only
> use AT_SECURE, removing the getuid/geteuid check. If AT_SECURE is unavailable,
> just assume the worst.
AT_SECURE is always available, since we removed support for pre-2.6
kernels.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
2014-06-29 7:40 ` [Bug libc/17100] " schwab@linux-m68k.org
2014-06-29 11:55 ` joseph at codesourcery dot com
@ 2014-06-29 12:17 ` fweimer at redhat dot com
2014-06-29 13:36 ` busterb at gmail dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2014-06-29 12:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Should we add a check which aborts if AT_SECURE is not present? Beyond that,
there isn't anything libc can do here.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
` (2 preceding siblings ...)
2014-06-29 12:17 ` fweimer at redhat dot com
@ 2014-06-29 13:36 ` busterb at gmail dot com
2014-06-29 13:52 ` fweimer at redhat dot com
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: busterb at gmail dot com @ 2014-06-29 13:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #4 from Brent Cook <busterb at gmail dot com> ---
Thank you for the clarification.
Though AT_SECURE is available in all kernels that glibc supports, is there be
any way for an adversary to cause the fallback case to be triggered through
external means?
That there is a fallback case is a little misleading since it does not also
perform the capabilities checks that the kernel does, so I don't think one
would want it to inadvertently execute on any kernel that implements
capabilities:
http://lxr.free-electrons.com/source/security/commoncap.c#L590
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
` (3 preceding siblings ...)
2014-06-29 13:36 ` busterb at gmail dot com
@ 2014-06-29 13:52 ` fweimer at redhat dot com
2014-06-29 14:04 ` busterb at gmail dot com
2014-06-29 15:20 ` joseph at codesourcery dot com
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2014-06-29 13:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Brent Cook from comment #4)
> Though AT_SECURE is available in all kernels that glibc supports, is there
> be any way for an adversary to cause the fallback case to be triggered
> through external means?
No, the kernel prepares the aux vector as part of the execve implementation.
It is possible to invoke the new process through userspace emulation, supplying
a bogus aux vector, but then, no privilege transition occurs, so there is no
security impact.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
` (4 preceding siblings ...)
2014-06-29 13:52 ` fweimer at redhat dot com
@ 2014-06-29 14:04 ` busterb at gmail dot com
2014-06-29 15:20 ` joseph at codesourcery dot com
6 siblings, 0 replies; 8+ messages in thread
From: busterb at gmail dot com @ 2014-06-29 14:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #6 from Brent Cook <busterb at gmail dot com> ---
So at worst, the fallback case is a vestigial tail?
It would seem to be ready for the chopping block if so.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
2014-06-29 3:17 [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure busterb at gmail dot com
` (5 preceding siblings ...)
2014-06-29 14:04 ` busterb at gmail dot com
@ 2014-06-29 15:20 ` joseph at codesourcery dot com
6 siblings, 0 replies; 8+ messages in thread
From: joseph at codesourcery dot com @ 2014-06-29 15:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17100
--- Comment #7 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
elf/enbl-secure.c is used on Hurd as well as Linux, but I suppose that
part of the code ought to be disabled if HAVE_AUX_SECURE.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread