[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] libdbus hardening
From:       Ludwig Nussel <ludwig.nussel () suse ! de>
Date:       2012-07-30 9:52:21
Message-ID: 50165955.3020401 () suse ! de
[Download RAW message or body]

Florian Weimer wrote:
> On 07/30/2012 10:59 AM, Ludwig Nussel wrote:
>> Florian Weimer wrote:
>>> On 07/17/2012 12:08 PM, Florian Weimer wrote:
>>>
>>>> Note that GNU libc will likely change the name to secure_getenv.
>>>> Upstream does not want to document __secure_getenv as-is.
>>>
>>> This will be part of glibc 2.17.  autoconf instructions are available here:
>>>
>>> <http://sourceware.org/glibc/wiki/Tips_and_Tricks/secure_getenv>
>>
>> Now the next step would be to make glibc automatically use secure_getenv
>> when running setuid root and require programs to explicitly call
>> insecure_getenv() or something like that :-)
> 
> You're welcome to absorb the transition costs. 8-) I looked into this
> briefly, and the potentially insecure getenv calls are not in the
> majority, so we'd have to expect quite a bit of breakage, or at least
> add a configurable whitelist of variable names in a file in /etc.

Potential breakage would only occur in setuid programs that actually use
getenv for valid purposes though. I wonder how many of those actually
exist.

> FWIW, I consider PAM and NSS (Name Service Switch) the major problem
> areas, too.  Do you know if the APIs would allow confining plug-ins to
> subprocesses?  Then we only have to solve the transparent child
> process problem.

No idea. I'd probably rather implement the setuid binary itself as
client/server program and get rid of setuid in the first place instead
of trying to play tricks in PAM though.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 
[prev in list] [next in list] [prev in thread] [next in thread]