This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

$ORIGIN expansion in SUID/SGID applications

From: Tavis Ormandy <taviso at gentoo dot org>
To: libc-alpha at sources dot redhat dot com
Date: Mon, 18 Dec 2006 18:41:27 +0000
Subject: $ORIGIN expansion in SUID/SGID applications

Hello, I've noticed that $ORIGIN is expanded in RPATH entries for
SGID/SUID binaries, on the condition that it is alone (_dl_dst_count,
elf/dl-load.c).

From http://tinyurl.com/yj7lpr "For security, the dynamic linker does
not allow use of $ORIGIN substitution sequences for set-user and
set-group ID programs.". Is there any reason why $ORIGIN is permitted on
it's own? Of course, this would be a very bad idea as creating a link to
a suid program would allow a user to manipulate the value of $ORIGIN.

I was planning on submitting a patch that disables this expansion in
secure mode, but noticed that Ulrich had already looked at this code in
1999 and made this exception.

Thanks, Tavis.

-- 
-------------------------------------
taviso@sdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Attachment: pgp00000.pgp
Description: PGP signature

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]