Page MenuHomeFreeBSD

rtld: restore abort for malformed environments while setuid
AbandonedPublic

Authored by kevans on Jan 28 2022, 5:56 AM.
Tags
None
Referenced Files
F106702957: D34074.diff
Sat, Jan 4, 2:32 AM
Unknown Object (File)
Thu, Dec 12, 6:30 PM
Unknown Object (File)
Oct 17 2024, 10:01 AM
Unknown Object (File)
Oct 17 2024, 10:01 AM
Unknown Object (File)
Oct 17 2024, 9:31 AM
Unknown Object (File)
Oct 3 2024, 12:11 AM
Unknown Object (File)
Sep 30 2024, 4:07 PM
Unknown Object (File)
Sep 24 2024, 1:57 AM
Subscribers

Details

Summary

From 2009 up until bfd4c875a105 ("rtld: avoid use of of getenv(3) ..."),
rtld would abort if a malformed environment was observed in tainted
executions. The abort was added at the time because we wouldn't be able
to unset any of the sensitive env vars that we try to sanitize. This
has been rewritten such that that isn't an issue anymore, but a
malformed environment like this can be a good indicator that the caller
is trying to do something hinky; let's restore the previous behavior.

Discussed with: emaste

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 44135
Build 41023: arc lint + arc unit

Event Timeline

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

In D34074#770475, @kib wrote:

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

libc seems to go scorched earth after seeing this anyways: https://cgit.freebsd.org/src/tree/lib/libc/stdlib/getenv.c#n364

In D34074#770475, @kib wrote:

In my opinion, it is not an rtld job to enforce policies on the application. It is application itself, might be libc, which should do anything there. But even with libc, library should not enforce the policy either.

Next day somebody would trick some binary that is not suid to do stupid thing with non-compliant environment, and then what, rtld should be tasked with sanitizing and aborting?

libc seems to go scorched earth after seeing this anyways: https://cgit.freebsd.org/src/tree/lib/libc/stdlib/getenv.c#n364

So libc approach, as already implemented, is clearly superior:

  • it is done in the right way, i.e. process is not abruptly terminated, but an error is returned instead
  • it is handled both for static and dynamic binaries
  • all processes are protected, not only suid