svn commit: r199983 - in head: lib/libc/stdlib
tools/regression/environ
Sean C. Farley
scf at FreeBSD.org
Tue Dec 1 16:47:00 UTC 2009
On Tue, 1 Dec 2009, Robert N. M. Watson wrote:
> On 1 Dec 2009, at 11:25, Sean C. Farley wrote:
>
>>> I think it's fair to say that the POSIXization of the environment
>>> code has been an unmitigated disaster, and speaks to the necessity
>>> for careful review of those sorts of code changes.
>>
>> As the author of the environment code, I agree that it has been a
>> painful process.
>>
>> Interestingly, the security issue was a combination of r169661 to
>> rtld.c, which is a correct action, and the new environ code which was
>> developed, as opposed to committed, at the same time. Separately,
>> the security issue would not have existed.
>
> One immediately pressing question is whether we can mitigate future
> possible problems along the same lines. The obvious thing is a further
> (and very careful) audit if all environmental variable use in the base
> system. But I wonder if there are some other things we could do, such
> as:
>
> - libc environment scrubbing: try to be more robust in the presence of
> the unexpected (for example, if you find corrupted stuff, ignore it
> more robustly); another variation might be to have libc abort(2) if
> issetugid() and unsetenv(3) would fail.
The preliminary patch I sent earlier should at least make the calls
behave more like they used to do (go through each variable even if
corrupt). However, I do agree that more code (getenv.c and any code
that calls into it) needs to be verified for more paranoid use of the
environment.
As for abort(), I was/still am considering having that be the result of
a corrupt environ array. If it is corrupt, why attempt to use it?
unsetenv() may still fail, so it may not abort() for other scenarios.
> - kernel environment scrubbing: the kernel is already responsible for
> getting those variables across the execve(2) boundary, so is already
> copying (and to a lesser extent, validating) it, and could learn to be
> a bit more rigorous in its expectations, perhaps more so for
> security-sensitive transitions (setuid/setgid/MAC/...)
That is a good point. I had not thought about kernel validation of the
environment in addition to the validation performed in libc.
> Brian's changes, although poorly timed, seem like a reasonable
> direction in this regard: we're stuck with unhelpful APIs, but maybe
> we can do a better job.
Getting rid of putenv() and especially removing direct access of environ
(replaced with API call(s)) would be my favorite API changes.
Sean
--
scf at FreeBSD.org
More information about the svn-src-head
mailing list