From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: Zack Weinberg <zack@owlfolio.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
Adhemerval Zanella <adhemerval.zanella@linaro.org>,
GNU libc development <libc-alpha@sourceware.org>
Cc: Florian Weimer <fweimer@redhat.com>, Carlos O'Donell <carlos@redhat.com>
Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE
Date: Thu, 5 Oct 2023 15:11:16 -0400 [thread overview]
Message-ID: <ae819935-92fe-d4d8-8186-82be639ac0b5@sourceware.org> (raw)
In-Reply-To: <1d301638-abaa-4f0b-89a5-7fa75250bf5d@app.fastmail.com>
On 2023-10-05 14:31, Zack Weinberg wrote:
> On Thu, Oct 5, 2023, at 9:59 AM, Szabolcs Nagy wrote:
>> The 10/05/2023 08:55, Siddhesh Poyarekar wrote:
>>> The current unsetenv logic is well reasoned IMO; the tunables layer made it
>>> complicated and it ought to be sufficient to just remove that. But that
>>> would require dropping the memory tagging tunable from SXID_IGNORE and
>>> erasing GLIBC_TUNABLES by putting it in unsecvars.h.
>>
>> i think it is broken to rewrite env[] that is passed by
>> the kernel. but since glibc always did this i guess it's
>> fine.
>
> I think the CVE that prompted this discussion demonstrates that it's *insecure*
> to allow children of setxid processes to inherit any environment variable that is
> considered insecure to consult in the setxid process itself.
I don't completely disagree with the conclusion below, but the CVE that
prompted this discussion doesn't say anything about environment
inheritance because the vulnerability had nothing to do with environment
processing and inheritance. The issue there is limited to complex
parsing of a particular environment variable in a setxid context and the
main lesson there IMO is to keep any kind of processing to a bare
minimum in a setxid context.
Processing for environment inheritance (specifically, cleaning out
unsecvars) is fairly stable code that has stood the test of time. It
makes sense like you suggest below, to make it an inclusion list rather
than an exclusion list, but IMO that's a separate hardening exercise
from ripping tunables out of the setxid context.
> I also think we ought to be talking about a very short *whitelist* of environment
> variables that are allowed to survive execve() of a setxid binary -- off the top
> of my head, TERM, LANG, LANGUAGE, LC_*, and maybe *nothing else* -- and putting
> that list into the kernel itself.
>
> zw
>
Thanks,
Sid
next prev parent reply other threads:[~2023-10-05 19:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 20:11 [PATCH 0/2] make all tunables SXID_ERASE Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 1/2] Make all malloc " Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Siddhesh Poyarekar
2023-10-04 7:29 ` Szabolcs Nagy
2023-10-04 11:59 ` Siddhesh Poyarekar
2023-10-04 14:04 ` Szabolcs Nagy
2023-10-04 14:23 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Szabolcs Nagy
2023-10-04 14:53 ` Siddhesh Poyarekar
2023-10-04 15:05 ` Siddhesh Poyarekar
2023-10-04 17:01 ` Adhemerval Zanella Netto
2023-10-05 8:19 ` Szabolcs Nagy
2023-10-05 12:55 ` Siddhesh Poyarekar
2023-10-05 13:59 ` Szabolcs Nagy
2023-10-05 14:05 ` Siddhesh Poyarekar
2023-10-05 18:31 ` Zack Weinberg
2023-10-05 19:11 ` Siddhesh Poyarekar [this message]
2023-10-06 12:25 ` Zack Weinberg
2023-10-06 12:41 ` Siddhesh Poyarekar
2023-10-06 17:10 ` Adhemerval Zanella Netto
2023-10-06 18:04 ` Siddhesh Poyarekar
2023-10-08 19:51 ` Michael Hudson-Doyle
2023-10-31 19:58 ` Zack Weinberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae819935-92fe-d4d8-8186-82be639ac0b5@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=adhemerval.zanella@linaro.org \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).