LD_PRELOAD temporary patch
Vasim Valejev
vasim at resume-bank.ru
Tue Dec 1 14:36:47 UTC 2009
I've used that patch to close the hole. This patch is temporary and doesn't fix real trouble maker - problem in new version in getenv() (after 6.3 it got changed to something monstrous and non-working right if environment has only one variable), hope it will get fixed soon.
*** rtld.c.orig Tue Dec 1 16:55:13 2009
--- rtld.c Tue Dec 1 16:55:55 2009
***************
*** 357,374 ****
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
if (!trust) {
unsetenv(LD_ "PRELOAD");
unsetenv(LD_ "LIBMAP");
unsetenv(LD_ "LIBRARY_PATH");
unsetenv(LD_ "LIBMAP_DISABLE");
unsetenv(LD_ "DEBUG");
}
- ld_debug = getenv(LD_ "DEBUG");
- libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
- libmap_override = getenv(LD_ "LIBMAP");
- ld_library_path = getenv(LD_ "LIBRARY_PATH");
- ld_preload = getenv(LD_ "PRELOAD");
dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
(ld_library_path != NULL) || (ld_preload != NULL);
ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");
--- 357,379 ----
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
+ ld_preload = getenv(LD_ "PRELOAD");
+ libmap_override = getenv(LD_ "LIBMAP");
+ ld_library_path = getenv(LD_ "LIBRARY_PATH");
+ libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
+ ld_debug = getenv(LD_ "DEBUG");
if (!trust) {
+ ld_preload = NULL;
+ libmap_override = NULL;
+ ld_library_path = NULL;
+ libmap_disable = 0;
+ ld_debug = NULL;
unsetenv(LD_ "PRELOAD");
unsetenv(LD_ "LIBMAP");
unsetenv(LD_ "LIBRARY_PATH");
unsetenv(LD_ "LIBMAP_DISABLE");
unsetenv(LD_ "DEBUG");
}
dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
(ld_library_path != NULL) || (ld_preload != NULL);
ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");
More information about the freebsd-security
mailing list