Hi Please find below a few typos I found while looking at the text. On Thu, Nov 26, 2015 at 10:43 AM, Maria Guseva <m.guseva@xxxxxxxxxxx> wrote: > So find the final patch below: > > diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644 > --- a/man8/ld.so.8 > +++ b/man8/ld.so.8 > @@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not > exist. > Use of DT_RPATH is deprecated. > .IP o > Using the environment variable > -.BR LD_LIBRARY_PATH . > -Except if the executable is a set-user-ID/set-group-ID binary, > +.BR LD_LIBRARY_PATH > +(unless the executable is being run in secure-execution mode; see below). > in which case it is ignored. > .IP o > (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@ > environment variable setting (see below). > .BI \-\-inhibit\-rpath " list" > Ignore RPATH and RUNPATH information in object names in .IR list . > -This option is ignored if > -.B ld.so > -is set-user-ID or set-group-ID. > +This option is ignored if when running in secure-execution mode (see > below). either "if" or "when", not both > .TP > .BI \-\-audit " list" > Use objects named in > .I list > as auditors. > .SH ENVIRONMENT > +Various environment variable influence the operation of the dynamic linker. s/variable/variables/ > +.\" > +.SS Secure-execution mode > +For security reasons, > +the effects of some environment variables are voided or modified if the > +dynamic linker determines that the binary should be run in > +secure-execution mode. > +This determination is made by checking whether the .B AT_SECURE entry > +in the auxiliary vector (see .BR getauxval (3)) has a nonzero value. > +This entry may have a nonzero value for various reasons, including: > +.IP * 3 > +The process's real and effective user IDs differ, or the real and I think one writes process' instead of process's if a possessive 's follows an s at the end of the word. > +effective group IDs differ. > +This typically occurs as a result of executing a set-user-ID or > +set-group-ID program. > +.IP * > +A process with a non-root user ID executed a binary that conferred > +permitted or effective capabilities. > +.IP * > +A nonzero value may have been set by a Linux Security Module. > +.\" > +.SS Environment variables > Among the more important environment variables are the following: > .TP > .B LD_ASSUME_KERNEL > @@ -235,7 +258,7 @@ The items in the list are separated by either colons or > semicolons. > Similar to the > .B PATH > environment variable. > -Ignored in set-user-ID and set-group-ID programs. > +This variable is ignore in secure-execution mode. s/ignore/ignored/ Thanks! Cheers, Silvan > .TP > .B LD_PRELOAD > A list of additional, user-specified, ELF shared @@ -243,7 +266,7 @@ > objects to be loaded before all others. > The items of the list can be separated by spaces or colons. > This can be used to selectively override functions in other shared objects. > The objects are searched for using the rules given under DESCRIPTION. > -For set-user-ID/set-group-ID ELF binaries, > +In secure-execution mode, > preload pathnames containing slashes are ignored, and shared objects in > the standard search directories are loaded only if the set-user-ID mode bit > is enabled on the shared object file. > @@ -282,7 +305,7 @@ to be loaded before all others in a separate linker > namespace would occur in the process). > These objects can be used to audit the operation of the dynamic linker. > .B LD_AUDIT > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > > The dynamic linker will notify the audit shared objects at so-called > auditing checkpoints\(emfor example, @@ -313,7 +336,7 @@ prints a help > message about which categories can be specified in this environment > variable. > Since glibc 2.3.4, > .B LD_DEBUG > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > +However, if the file > +.IR /etc/suid\-debug > +exists (the content of the file is irrelevant), then .BR LD_DEBUG has > +an effect in secure-execution mode. > .TP > .B LD_DEBUG_OUTPUT > (glibc since 2.1) > @@ -322,14 +345,14 @@ File in which > output should be written. > The default is standard error. > .B LD_DEBUG_OUTPUT > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > .TP > .B LD_DYNAMIC_WEAK > (glibc since 2.1.91) > Allow weak symbols to be overridden (reverting to old glibc behavior). > -For security reasons, since glibc 2.3.4, > +Since glibc 2.3.4, > .B LD_DYNAMIC_WEAK > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > .TP > .B LD_HWCAP_MASK > (glibc since 2.1) > @@ -348,9 +371,9 @@ version numbers. > .B LD_ORIGIN_PATH > (glibc since 2.1) > Path where the binary is found (for non-set-user-ID programs). > -For security reasons, since glibc 2.4, > +Since glibc 2.4, > .B LD_ORIGIN_PATH > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > .\" Only used if $ORIGIN can't be determined by normal means .\" (from the > origin path saved at load time, or from /proc/self/exe)? > .TP > @@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an > empty string, then the default is .IR /var/tmp . > .B LD_PROFILE_OUTPUT > -is ignored for set-user-ID and set-group-ID programs, > +is ignored in secure-execution mode. > which always use > .IR /var/profile . > .TP > .B LD_SHOW_AUXV > (glibc since 2.1) > Show auxiliary array passed up from the kernel. > -For security reasons, since glibc 2.3.5, > +Since glibc 2.3.5, > .B LD_SHOW_AUXV > -is ignored for set-user-ID/set-group-ID binaries. > +is ignored in secure-execution mode. > .TP > .B LD_TRACE_PRELINKING > (glibc since 2.4) > @@ -421,7 +444,7 @@ If > .B LD_USE_LOAD_BIAS > is defined with the value 0, > neither executables nor PIEs will honor the base addresses. > -This variable is ignored by set-user-ID and set-group-ID programs. > +This variable is ignored in secure-execution mode. > .TP > .B LD_VERBOSE > (glibc since 2.1) > @@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm > .BR sprof (1), .BR dlopen (3), .BR getauxval (3), > +.BR capabilities (7), > .BR rtld-audit (7), > .BR ldconfig (8), > .BR sln (8) > > > Regards, > Maria > > -- > To unsubscribe from this list: send the line "unsubscribe linux-man" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
