[PATCH] libc: add issetugid()

Anthony G. Basile basile at opensource.dyc.edu
Sat Jul 26 12:12:53 UTC 2014


On 07/24/14 16:41, Bernhard Reutner-Fischer wrote:
> On Wed, Jul 23, 2014 at 07:28:26AM -0400, Anthony G. Basile wrote:
>> I should add that this updated patch addresses Rich's points: 1) I've tested
>> this for both dynamic and static linking and I tested that libressl builds
>> and works correctly.  2) I added a link to the musl commit for the reasoning
>> behind this approach.
>>
>> On 07/22/14 13:27, basile at opensource.dyc.edu wrote:
>>> From: "Anthony G. Basile" <blueness at gentoo.org>
>>>
>>> issetugid() returns 1 if the process environment or memory address space
>>> is considered tainted, and returns 0 otherwise.  This happens, for example,
>>> when a process's privileges are elevated by the setuid or setgid flags on
>>> an executable belonging to root.  This function first appeard in OpenBSD 2.0
>>> and is needed for the LibreSSL.
>>>
>>> This patch follows the same logic as the equivalent musl commit.  For more
>>> information see the commit message at
>>>
>>> http://git.musl-libc.org/cgit/musl/commit/?id=ddddec106fd17c3aca3287005d21e92f742aa9d4
>>> ---
>>>   include/unistd.h                    |  8 ++++++++
>>>   libc/misc/file/issetugid.c          | 12 ++++++++++++
>>>   libc/misc/internals/__uClibc_main.c | 12 ++++++++++++
>>>   3 files changed, 32 insertions(+)
>>>   create mode 100644 libc/misc/file/issetugid.c
>>>
>>> diff --git a/include/unistd.h b/include/unistd.h
>>> index 540062a..6c2c8c2 100644
>>> --- a/include/unistd.h
>>> +++ b/include/unistd.h
>>> @@ -1168,6 +1168,14 @@ extern long int syscall (long int __sysno, ...) __THROW;
>>>
>>>   #endif	/* Use misc.  */
>>>
>>> +#ifdef __USE_MISC
>
> is MISC (or MISC alone) an appropriate guard?

I had a hard time (and still have a hard time) deciding this even after 
carefully reading include/features.h.  The function started in openbsd 
and migrated to free and netbsd, but its not in 4.3BSD.  _USE_MISC is 
looser but does include SYS V.  I'm thinking now to just remove the 
guard.  I did speak to Rich about what musl's doing but it doesn't seem 
appropriate here.

If there are no strong opinions, I'll just remove the guard and resubmit 
in a few days.

Your other comments below are good.

>
>>> +/* issetugid() returns 1 if the process environment or memory address space
>>> +   is considered tainted, and returns 0 otherwise.  This happens, for example,
>>> +   when a process's privileges are elevated by the setuid or setgid flags on
>>> +   an executable belonging to root.
>>> +*/
>>> +extern int issetugid(void);
>>> +#endif
>>>
>>>   #if (defined __USE_MISC || defined __USE_XOPEN_EXTENDED) && !defined F_LOCK
>>>   /* NOTE: These declarations also appear in <fcntl.h>; be sure to keep both
>>> diff --git a/libc/misc/file/issetugid.c b/libc/misc/file/issetugid.c
>>> new file mode 100644
>>> index 0000000..29a4167
>>> --- /dev/null
>>> +++ b/libc/misc/file/issetugid.c
>>> @@ -0,0 +1,12 @@
>>> +/* Copyright (C) 2013 Gentoo Foundation
>>> + * Licensed under LGPL v2.1 or later, see the file COPYING.LIB in this tarball.
>>> + */
>>> +
>>> +#include <unistd.h>
>>> +
>>> +extern int _pe_secure;
>>> +
>>> +int issetugid(void)
>>> +{
>>> +	return _pe_secure;
>>> +}
>>> diff --git a/libc/misc/internals/__uClibc_main.c b/libc/misc/internals/__uClibc_main.c
>>> index a37751f..b062e62 100644
>>> --- a/libc/misc/internals/__uClibc_main.c
>>> +++ b/libc/misc/internals/__uClibc_main.c
>>> @@ -40,6 +40,13 @@
>>>   #include <locale.h>
>>>   #endif
>>>
>>> +/* Are we in a secure process environment or are we dealing
>>> + * with setuid stuff?  If we are dynamically linked, then we
>>> + * already have _dl_secure, otherwise we need to re-examine
>>> + * auxvt[].
>>> + */
>>> +int _pe_secure = 1;
>
> I'd default that to 0
> and i'd make that libc_hidden_data_def(_pe_secure)
>
>>> +
>>>   #ifndef SHARED
>>>   void *__libc_stack_end = NULL;
>>>
>>> @@ -387,6 +394,11 @@ void __uClibc_main(int (*main)(int, char **, char **), int argc,
>>>   #else
>>>       if (_dl_secure)
>>>   #endif
>>> +	_pe_secure = 1 ;
>>> +    else
>>> +	_pe_secure = 0 ;
>>> +
>>> +    if (_pe_secure)
>>>       {
>>>   	__check_one_fd (STDIN_FILENO, O_RDONLY | O_NOFOLLOW);
>>>   	__check_one_fd (STDOUT_FILENO, O_RDWR | O_NOFOLLOW);
>>>
>
> Please reformat the hunk above like:
> @@ -388,10 +388,12 @@ void __uClibc_main(int (*main)(int, char **, char **), int argc,
>       if (_dl_secure)
>   #endif
>       {
> +	_pe_secure = 1;
>   	__check_one_fd (STDIN_FILENO, O_RDONLY | O_NOFOLLOW);
>   	__check_one_fd (STDOUT_FILENO, O_RDWR | O_NOFOLLOW);
>   	__check_one_fd (STDERR_FILENO, O_RDWR | O_NOFOLLOW);
> -    }
> +    } else
> +	_pe_secure = 0;
>   #endif
>
>       __uclibc_progname = *argv;
>
> TIA,
>


-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


More information about the uClibc mailing list