Gentle ping. >Ping. >On 09/22/2015 11:58 AM, Maria Guseva wrote: >Hello Michael, Yury >> What do you think of the alternative patch below? >Thank you, the patch you proposed looks much better. >>>> While at it, could you also mention that /etc/suid-debug enables >>>> LD_DEBUG for suids? >>> >>> Does it? I can't see that in the glibc source. Am I missing something? >>I was looking at process_envvars (in rtld.c): it resets dl_debug_mask for AT_SECURE binaries unless /etc/suid-debug exists. >So I think it should mentioned in LD_DEBUG environment variable description, here: > .B LD_DEBUG >-is ignored for set-user-ID/set-group-ID binaries. >+is ignored in secure-execution mode. >+However, if the file >+.IR /etc/suid\-debug >+exists (the content of the file is irrelevant), then .BR LD_DEBUG has >+an effect in secure-execution mode. > .TP So find the final patch below: diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644 --- a/man8/ld.so.8 +++ b/man8/ld.so.8 @@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not exist. Use of DT_RPATH is deprecated. .IP o Using the environment variable -.BR LD_LIBRARY_PATH . -Except if the executable is a set-user-ID/set-group-ID binary, +.BR LD_LIBRARY_PATH +(unless the executable is being run in secure-execution mode; see below). in which case it is ignored. .IP o (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@ environment variable setting (see below). .BI \-\-inhibit\-rpath " list" Ignore RPATH and RUNPATH information in object names in .IR list . -This option is ignored if -.B ld.so -is set-user-ID or set-group-ID. +This option is ignored if when running in secure-execution mode (see below). .TP .BI \-\-audit " list" Use objects named in .I list as auditors. .SH ENVIRONMENT +Various environment variable influence the operation of the dynamic linker. +.\" +.SS Secure-execution mode +For security reasons, +the effects of some environment variables are voided or modified if the +dynamic linker determines that the binary should be run in +secure-execution mode. +This determination is made by checking whether the .B AT_SECURE entry +in the auxiliary vector (see .BR getauxval (3)) has a nonzero value. +This entry may have a nonzero value for various reasons, including: +.IP * 3 +The process's real and effective user IDs differ, or the real and +effective group IDs differ. +This typically occurs as a result of executing a set-user-ID or +set-group-ID program. +.IP * +A process with a non-root user ID executed a binary that conferred +permitted or effective capabilities. +.IP * +A nonzero value may have been set by a Linux Security Module. +.\" +.SS Environment variables Among the more important environment variables are the following: .TP .B LD_ASSUME_KERNEL @@ -235,7 +258,7 @@ The items in the list are separated by either colons or semicolons. Similar to the .B PATH environment variable. -Ignored in set-user-ID and set-group-ID programs. +This variable is ignore in secure-execution mode. .TP .B LD_PRELOAD A list of additional, user-specified, ELF shared @@ -243,7 +266,7 @@ objects to be loaded before all others. The items of the list can be separated by spaces or colons. This can be used to selectively override functions in other shared objects. The objects are searched for using the rules given under DESCRIPTION. -For set-user-ID/set-group-ID ELF binaries, +In secure-execution mode, preload pathnames containing slashes are ignored, and shared objects in the standard search directories are loaded only if the set-user-ID mode bit is enabled on the shared object file. @@ -282,7 +305,7 @@ to be loaded before all others in a separate linker namespace would occur in the process). These objects can be used to audit the operation of the dynamic linker. .B LD_AUDIT -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. The dynamic linker will notify the audit shared objects at so-called auditing checkpoints\(emfor example, @@ -313,7 +336,7 @@ prints a help message about which categories can be specified in this environment variable. Since glibc 2.3.4, .B LD_DEBUG -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. +However, if the file +.IR /etc/suid\-debug +exists (the content of the file is irrelevant), then .BR LD_DEBUG has +an effect in secure-execution mode. .TP .B LD_DEBUG_OUTPUT (glibc since 2.1) @@ -322,14 +345,14 @@ File in which output should be written. The default is standard error. .B LD_DEBUG_OUTPUT -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. .TP .B LD_DYNAMIC_WEAK (glibc since 2.1.91) Allow weak symbols to be overridden (reverting to old glibc behavior). -For security reasons, since glibc 2.3.4, +Since glibc 2.3.4, .B LD_DYNAMIC_WEAK -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. .TP .B LD_HWCAP_MASK (glibc since 2.1) @@ -348,9 +371,9 @@ version numbers. .B LD_ORIGIN_PATH (glibc since 2.1) Path where the binary is found (for non-set-user-ID programs). -For security reasons, since glibc 2.4, +Since glibc 2.4, .B LD_ORIGIN_PATH -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. .\" Only used if $ORIGIN can't be determined by normal means .\" (from the origin path saved at load time, or from /proc/self/exe)? .TP @@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an empty string, then the default is .IR /var/tmp . .B LD_PROFILE_OUTPUT -is ignored for set-user-ID and set-group-ID programs, +is ignored in secure-execution mode. which always use .IR /var/profile . .TP .B LD_SHOW_AUXV (glibc since 2.1) Show auxiliary array passed up from the kernel. -For security reasons, since glibc 2.3.5, +Since glibc 2.3.5, .B LD_SHOW_AUXV -is ignored for set-user-ID/set-group-ID binaries. +is ignored in secure-execution mode. .TP .B LD_TRACE_PRELINKING (glibc since 2.4) @@ -421,7 +444,7 @@ If .B LD_USE_LOAD_BIAS is defined with the value 0, neither executables nor PIEs will honor the base addresses. -This variable is ignored by set-user-ID and set-group-ID programs. +This variable is ignored in secure-execution mode. .TP .B LD_VERBOSE (glibc since 2.1) @@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm .BR sprof (1), .BR dlopen (3), .BR getauxval (3), +.BR capabilities (7), .BR rtld-audit (7), .BR ldconfig (8), .BR sln (8) Regards, Maria -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
