diff options
author | Florian Weimer <fweimer@redhat.com> | 2012-07-25 19:46:22 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2012-07-25 19:46:22 +0200 |
commit | 84b3fd8407cc9a2e7f487b6247681bd8a78a4560 (patch) | |
tree | 26e482f31c4fe6e36d8aa64394ff4659908bdc4f | |
parent | 56e49b714ecd32c72c334802b00e3d62008d98e3 (diff) | |
download | glibc-84b3fd8407cc9a2e7f487b6247681bd8a78a4560.tar glibc-84b3fd8407cc9a2e7f487b6247681bd8a78a4560.tar.gz glibc-84b3fd8407cc9a2e7f487b6247681bd8a78a4560.tar.bz2 glibc-84b3fd8407cc9a2e7f487b6247681bd8a78a4560.zip |
Rename __secure_getenv to secure_getenv
40 files changed, 446 insertions, 28 deletions
@@ -1,3 +1,66 @@ +2012-07-25 Florian Weimer <fweimer@redhat.com> + + * Versions.def: Add GLIBC_2.17. + + * stdlib/stdlib.h: Rename __secure_getenv to secure_getenv. + * include/stdlib.h: Rename __secure_getenv to secure_getenv. + Introduce __libc_secure_getenv. + * stdlib/Versions: Add secure_getenv and __libc_secure_getenv. + * stdlib/secure-getenv.c: Likewise. Update copyright years. + * stdlib/tst-secure-getenv.c: New. + * stdlib/Makefile (tests): Add testcase. + + * manual/startup.texi (Environment Access): Document + secure_getenv. + + * hesiod/hesiod.c (hesiod_init): Rename __secure_getenv to + __libc_secure_getenv. + * inet/ruserpass.c (ruserpass): Likewise. + * malloc/mtrace.c (mtrace): Likewise. + * sysdeps/mach/hurd/tmpfile.c (__tmpfile): Likewise. + * sysdeps/posix/libc_fatal.c (__libc_fatal): Likewise. Update + copyright years. + * sysdeps/posix/sysconf.c (__sysconf__check_spec): Likewise. + * sysdeps/posix/tempname.c: Likewise. Evaluate + HAVE_SECURE_GETENV. + * sysdeps/unix/sysv/linux/libc_fatal.c (__libc_message): Rename + __secure_getenv to __libc_secure_getenv. Update copyright years. + + * sysdeps/unix/sysv/linux/i386/nptl/libc.abilist: Add secure_getenv. + * sysdeps/unix/sysv/linux/libc_fatal.c: Likewise. + * sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist: + Likewise. + * sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist: + Likewise. + * sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sh/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist: + Likewise. + 2012-07-25 Joseph Myers <joseph@codesourcery.com> * sysdeps/generic/ldsodefs.h (struct La_i86_regs): Remove. @@ -17,6 +17,10 @@ Version 2.17 zEnterprise z196. Implemented by Andreas Krebbel. +* The new function secure_getenv allows secure access to the environment, + returning NULL if running in a SUID/SGID process. This function replaces + the internal function __secure_getenv. + Version 2.16 diff --git a/Versions.def b/Versions.def index 2b44f5e0bb..3c9e0aedbc 100644 --- a/Versions.def +++ b/Versions.def @@ -33,6 +33,7 @@ libc { GLIBC_2.14 GLIBC_2.15 GLIBC_2.16 + GLIBC_2.17 HURD_CTHREADS_0.3 %ifdef EXPORT_UNWIND_FIND_FDE GCC_3.0 diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c index a3f22e5c88..657dabebc1 100644 --- a/hesiod/hesiod.c +++ b/hesiod/hesiod.c @@ -87,7 +87,7 @@ hesiod_init(void **context) { ctx->classes[0] = C_IN; ctx->classes[1] = C_HS; - configname = __secure_getenv("HESIOD_CONFIG"); + configname = __libc_secure_getenv("HESIOD_CONFIG"); if (!configname) configname = _PATH_HESIOD_CONF; if (parse_config_file(ctx, configname) < 0) { @@ -109,7 +109,7 @@ hesiod_init(void **context) { * The default RHS can be overridden by an environment * variable. */ - if ((cp = __secure_getenv("HES_DOMAIN")) != NULL) { + if ((cp = __libc_secure_getenv("HES_DOMAIN")) != NULL) { free(ctx->RHS); ctx->RHS = malloc(strlen(cp)+2); if (!ctx->RHS) diff --git a/include/stdlib.h b/include/stdlib.h index de0b414d86..d45b2f02de 100644 --- a/include/stdlib.h +++ b/include/stdlib.h @@ -33,12 +33,13 @@ libc_hidden_proto (__strtold_l) libc_hidden_proto (exit) libc_hidden_proto (abort) libc_hidden_proto (getenv) +extern __typeof (secure_getenv) __libc_secure_getenv; +libc_hidden_proto (__libc_secure_getenv) libc_hidden_proto (bsearch) libc_hidden_proto (qsort) libc_hidden_proto (qsort_r) libc_hidden_proto (lrand48_r) libc_hidden_proto (wctomb) -libc_hidden_proto (__secure_getenv) extern long int __random (void); extern void __srandom (unsigned int __seed); diff --git a/inet/ruserpass.c b/inet/ruserpass.c index df423ba6ee..71a734dfda 100644 --- a/inet/ruserpass.c +++ b/inet/ruserpass.c @@ -102,7 +102,7 @@ ruserpass(host, aname, apass) int t, usedefault = 0; struct stat64 stb; - hdir = __secure_getenv("HOME"); + hdir = __libc_secure_getenv("HOME"); if (hdir == NULL) { /* If we can't get HOME, fail instead of trying ".", which is no improvement. This really should call diff --git a/malloc/mtrace.c b/malloc/mtrace.c index d1049c982c..d7a032a86a 100644 --- a/malloc/mtrace.c +++ b/malloc/mtrace.c @@ -309,7 +309,7 @@ mtrace () /* When compiling the GNU libc we use the secure getenv function which prevents the misuse in case of SUID or SGID enabled programs. */ - mallfile = __secure_getenv (mallenv); + mallfile = __libc_secure_getenv (mallenv); #else mallfile = getenv (mallenv); #endif diff --git a/manual/startup.texi b/manual/startup.texi index 0420e93289..d0be5e65f4 100644 --- a/manual/startup.texi +++ b/manual/startup.texi @@ -310,11 +310,15 @@ character, since this is assumed to terminate the string. The value of an environment variable can be accessed with the @code{getenv} function. This is declared in the header file -@file{stdlib.h}. Modifications of enviroment variables are not -allowed in Multi-threaded programs. The @code{getenv} function -can be safely used in multi-threaded programs +@file{stdlib.h}. @pindex stdlib.h +Libraries should use @code{secure_getenv} instead of @code{getenv}, so +that they do not accidentally use untrusted environment variables. +Modifications of environment variables are not allowed in +multi-threaded programs. The @code{getenv} and @code{secure_getenv} +functions can be safely used in multi-threaded programs. + @comment stdlib.h @comment ISO @deftypefun {char *} getenv (const char *@var{name}) @@ -326,6 +330,18 @@ environment variable @var{name} is not defined, the value is a null pointer. @end deftypefun +@comment stdlib.h +@comment GNU +@deftypefun {char *} secure_getenv (const char *@var{name}) +This function is similar to @code{getenv}, but it returns a null +pointer if the environment is untrusted. This happens when the +program file has SUID or SGID bits set. General-purpose libraries +should always prefer this function over @code{getenv} to avoid +vulnerabilities if the library is referenced from a SUID/SGID program. + +This function is a GNU extension. +@end deftypefun + @comment stdlib.h @comment SVID diff --git a/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist index 6d333aa522..f8a3295add 100644 --- a/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist @@ -1811,6 +1811,9 @@ GLIBC_2.16 sys_errlist D 0x460 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist index 1f496fb61c..5523fdd2a3 100644 --- a/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.4 GLIBC_2.4 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist index 6939ad73bc..b73f5ca8f7 100644 --- a/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist index ca31ead95f..9a924571e8 100644 --- a/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist @@ -79,6 +79,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.4 GLIBC_2.4 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist index c2706f1e14..fbcd20897b 100644 --- a/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist @@ -1767,6 +1767,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist index 80f7d3321d..54e8d1a94e 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist @@ -2242,3 +2242,6 @@ GLIBC_2.9 pipe2 F _gp_disp _gp_disp A +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist index 6d64e1d238..2a0e2a2d96 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist @@ -1390,6 +1390,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist index 701152eeb5..0e21194ac1 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist @@ -1388,6 +1388,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist index 43015f4e92..11ad6a525d 100644 --- a/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist @@ -1772,6 +1772,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist index eed3b4937f..48f0c69eb8 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist index 2dbce23ec9..3aa70a1004 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist index eed3b4937f..48f0c69eb8 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/stdlib/Makefile b/stdlib/Makefile index f7811c5bbb..10674f2cd7 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -68,7 +68,9 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ tst-makecontext2 tst-strtod6 tst-unsetenv1 \ - tst-makecontext3 bug-getcontext bug-fmtmsg1 + tst-makecontext3 bug-getcontext bug-fmtmsg1 \ + tst-secure-getenv +tests-static := tst-secure-getenv include ../Makeconfig diff --git a/stdlib/Versions b/stdlib/Versions index 2aa396ecb7..250bd5fad7 100644 --- a/stdlib/Versions +++ b/stdlib/Versions @@ -6,7 +6,7 @@ libc { # functions used in inline functions or macros __strto*_internal; - # functions used in other libraries + # compatibility symbol __secure_getenv; # a* @@ -103,11 +103,16 @@ libc { GLIBC_2.13 { __fentry__; } + GLIBC_2.17 { + secure_getenv; + } GLIBC_PRIVATE { # functions which have an additional interface since they are # are cancelable. __libc_system; # Variable which needs a dynamic symbol table entry. __abort_msg; + # Used from other libraries + __libc_secure_getenv; } } diff --git a/stdlib/secure-getenv.c b/stdlib/secure-getenv.c index f64759f09b..2e696e90f0 100644 --- a/stdlib/secure-getenv.c +++ b/stdlib/secure-getenv.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991, 1992, 1994, 1996, 2002 Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -18,13 +18,20 @@ #include <stdlib.h> #include <unistd.h> +#include <shlib-compat.h> + /* Some programs and especially the libc itself have to be careful what values to accept from the environment. This special version checks for SUID or SGID first before doing any work. */ char * -__secure_getenv (name) +__libc_secure_getenv (name) const char *name; { return __libc_enable_secure ? NULL : getenv (name); } -libc_hidden_def (__secure_getenv) +weak_alias (__libc_secure_getenv, secure_getenv) +libc_hidden_weak (__libc_secure_getenv) + +#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_16) +compat_symbol (libc, __libc_secure_getenv, __secure_getenv, GLIBC_2_0); +#endif diff --git a/stdlib/stdlib.h b/stdlib/stdlib.h index f652eda3fe..cf3f39ca84 100644 --- a/stdlib/stdlib.h +++ b/stdlib/stdlib.h @@ -568,10 +568,12 @@ __BEGIN_NAMESPACE_STD extern char *getenv (const char *__name) __THROW __nonnull ((1)) __wur; __END_NAMESPACE_STD +#ifdef __USE_GNU /* This function is similar to the above but returns NULL if the programs is running with SUID or SGID enabled. */ -extern char *__secure_getenv (const char *__name) +extern char *secure_getenv (const char *__name) __THROW __nonnull ((1)) __wur; +#endif #if defined __USE_SVID || defined __USE_XOPEN /* The SVID says this is in <stdio.h>, but this seems a better place. */ diff --git a/stdlib/tst-secure-getenv.c b/stdlib/tst-secure-getenv.c new file mode 100644 index 0000000000..76d8de6ed4 --- /dev/null +++ b/stdlib/tst-secure-getenv.c @@ -0,0 +1,250 @@ +/* Copyright (C) 2012 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +/* Test that secure_getenv works by invoking the test as a SGID + program with a group ID from the supplementary group list. This + test can fail spuriously if the user is not a member of a suitable + supplementary group. */ + +#include <errno.h> +#include <fcntl.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <unistd.h> + +static char MAGIC_ARGUMENT[] = "run-actual-test"; +#define MAGIC_STATUS 19 + +static const char *test_dir; + +/* Return a GID which is not our current GID, but is present in the + supplementary group list. */ +static gid_t +choose_gid (void) +{ + const int count = 64; + gid_t groups[count]; + int ret = getgroups (count, groups); + if (ret < 0) + { + perror ("getgroups"); + exit (1); + } + gid_t current = getgid (); + for (int i = 0; i < ret; ++i) + { + if (groups[i] != current) + return groups[i]; + } + return 0; +} + + +/* Copies the executable into a restricted directory, so that we can + safely make it SGID with the TARGET group ID. Then runs the + executable. */ +static int +run_executable_sgid (gid_t target) +{ + char *dirname = 0; + char *execname = 0; + int infd = -1; + int outfd = -1; + int ret = -1; + if (asprintf (&dirname, "%s/secure-getenv.%jd", + test_dir, (intmax_t) getpid ()) < 0) + { + perror ("asprintf"); + goto err; + } + if (mkdir (dirname, 0700) < 0) + { + perror ("mkdir"); + goto err; + } + if (asprintf (&execname, "%s/bin", dirname) < 0) + { + perror ("asprintf"); + goto err; + } + infd = open ("/proc/self/exe", O_RDONLY); + if (infd < 0) + { + perror ("open"); + goto err; + } + outfd = open (execname, O_WRONLY | O_CREAT | O_EXCL, 0700); + if (outfd < 0) + { + perror ("open"); + goto err; + } + char buf[4096]; + for (;;) + { + ssize_t rdcount = read (infd, buf, sizeof (buf)); + if (rdcount < 0) + { + perror ("read"); + goto err; + } + if (rdcount == 0) + break; + char *p = buf; + char *end = buf + rdcount; + while (p != end) + { + ssize_t wrcount = write (outfd, buf, end - p); + if (wrcount == 0) + errno = ENOSPC; + if (wrcount <= 0) + { + perror ("write"); + goto err; + } + p += wrcount; + } + } + if (fchown (outfd, getuid (), target) < 0) + { + perror ("fchown"); + goto err; + } + if (fchmod (outfd, 02750) < 0) + { + perror ("fchmod"); + goto err; + } + if (close (outfd) < 0) + { + perror ("close"); + goto err; + } + if (close (infd) < 0) + { + perror ("close"); + goto err; + } + + int kid = fork (); + if (kid < 0) + { + perror ("fork"); + goto err; + } + if (kid == 0) + { + /* Child process. */ + char *args[] = { execname, MAGIC_ARGUMENT, NULL }; + execve (execname, args, environ); + perror ("execve"); + _exit (1); + } + int status; + if (waitpid (kid, &status, 0) < 0) + { + perror ("waitpid"); + goto err; + } + if (!WIFEXITED (status) || WEXITSTATUS (status) != MAGIC_STATUS) + { + fprintf (stderr, "Unexpected exit status %d from child process\n", + status); + goto err; + } + ret = 0; + +err: + if (outfd >= 0) + close (outfd); + if (infd >= 0) + close (infd); + if (execname) + { + unlink (execname); + free (execname); + } + if (dirname) + { + rmdir (dirname); + free (dirname); + } + return ret; +} + +static int +do_test (void) +{ + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set\n"); + exit (1); + } + if (secure_getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set according to secure_getenv\n"); + exit (1); + } + if (strcmp (getenv ("PATH"), secure_getenv ("PATH")) != 0) + { + fprintf (stderr, "PATH mismatch (%s, %s)\n", + getenv ("PATH"), secure_getenv ("PATH")); + exit (1); + } + + gid_t target = choose_gid (); + if (target == 0) + { + fprintf (stderr, "Could not find a suitable GID user %jd\n", + (intmax_t) getuid ()); + exit (1); + } + return run_executable_sgid (target); +} + +static void +alternative_main (int argc, char **argv) +{ + if (argc == 2 && strcmp (argv[1], MAGIC_ARGUMENT) == 0) + { + if (getgid () == getegid ()) + { + fprintf (stderr, "SGID failed: GID and EGID match (%jd)\n", + (intmax_t) getgid ()); + exit (2); + } + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH variable not present\n"); + exit (3); + } + if (secure_getenv ("PATH") != NULL) + { + fprintf (stderr, "PATH variable not filtered out\n"); + exit (4); + } + exit (MAGIC_STATUS); + } +} + +#define PREPARE(argc, argv) alternative_main(argc, argv) +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/sysdeps/mach/hurd/tmpfile.c b/sysdeps/mach/hurd/tmpfile.c index 94b1380da4..c2aa764916 100644 --- a/sysdeps/mach/hurd/tmpfile.c +++ b/sysdeps/mach/hurd/tmpfile.c @@ -37,7 +37,7 @@ __tmpfile (void) FILE *f; /* Get a port to the directory that will contain the file. */ - const char *dirname = __secure_getenv ("TMPDIR") ?: P_tmpdir; + const char *dirname = __libc_secure_getenv ("TMPDIR") ?: P_tmpdir; file_t dir = __file_name_lookup (dirname, 0, 0); if (dir == MACH_PORT_NULL) return NULL; diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c index 62acb9bead..6b741297ce 100644 --- a/sysdeps/posix/libc_fatal.c +++ b/sysdeps/posix/libc_fatal.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1993-1995,1997,2000,2004,2005,2009,2011 - Free Software Foundation, Inc. +/* Copyright (C) 1993-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -61,7 +60,7 @@ __libc_message (int do_abort, const char *fmt, ...) /* Open a descriptor for /dev/tty unless the user explicitly requests errors on standard error. */ - const char *on_2 = __secure_getenv ("LIBC_FATAL_STDERR_"); + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); if (on_2 == NULL || *on_2 == '\0') fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); diff --git a/sysdeps/posix/sysconf.c b/sysdeps/posix/sysconf.c index 1f988d547a..d9b3c83ab7 100644 --- a/sysdeps/posix/sysconf.c +++ b/sysdeps/posix/sysconf.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1991,1993,1995-1997,1999-2003,2004,2006,2009 - Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -1259,7 +1258,7 @@ __sysconf_check_spec (const char *spec) { int save_errno = errno; - const char *getconf_dir = __secure_getenv ("GETCONF_DIR") ?: GETCONF_DIR; + const char *getconf_dir = __libc_secure_getenv ("GETCONF_DIR") ?: GETCONF_DIR; size_t getconf_dirlen = strlen (getconf_dir); size_t speclen = strlen (spec); diff --git a/sysdeps/posix/tempname.c b/sysdeps/posix/tempname.c index a98f1d6e9b..2f0bfef34f 100644 --- a/sysdeps/posix/tempname.c +++ b/sysdeps/posix/tempname.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991-2001, 2006, 2007, 2009 Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -101,8 +101,12 @@ # define __xstat64(version, path, buf) stat (path, buf) #endif -#if ! (HAVE___SECURE_GETENV || _LIBC) -# define __secure_getenv getenv +#if ! (HAVE_SECURE_GETENV || _LIBC) +# ifdef HAVE___SECURE_GETENV +# define __libc_secure_getenv __secure_getenv +# else +# define __libc_secure_getenv getenv +# endif #endif #ifdef _LIBC @@ -168,7 +172,7 @@ __path_search (char *tmpl, size_t tmpl_len, const char *dir, const char *pfx, if (try_tmpdir) { - d = __secure_getenv ("TMPDIR"); + d = __libc_secure_getenv ("TMPDIR"); if (d != NULL && direxists (d)) dir = d; else if (dir != NULL && direxists (dir)) diff --git a/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist b/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist index d6695ebb91..0e8576fdd5 100644 --- a/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist @@ -1811,6 +1811,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/libc_fatal.c b/sysdeps/unix/sysv/linux/libc_fatal.c index 58a5a7f838..6cc96d76e9 100644 --- a/sysdeps/unix/sysv/linux/libc_fatal.c +++ b/sysdeps/unix/sysv/linux/libc_fatal.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1993-1995,1997,2000,2002-2005,2009,2011 - Free Software Foundation, Inc. +/* Copyright (C) 1993-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -64,7 +63,7 @@ __libc_message (int do_abort, const char *fmt, ...) /* Open a descriptor for /dev/tty unless the user explicitly requests errors on standard error. */ - const char *on_2 = __secure_getenv ("LIBC_FATAL_STDERR_"); + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); if (on_2 == NULL || *on_2 == '\0') fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist index 706d2a9eb8..75123b9f3a 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist @@ -1772,6 +1772,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist index a0d362e111..e2484d3f22 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.3 GLIBC_2.3 A _Exit F diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist index d56560112c..ff0b82f51f 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist @@ -1763,6 +1763,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist index f161a51e29..2fb0786942 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist @@ -84,6 +84,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist index c474f415c7..3fd150e7e5 100644 --- a/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist @@ -84,6 +84,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist index 1804348cfd..7d5a3429fd 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist @@ -1768,6 +1768,9 @@ GLIBC_2.16 sys_errlist D 0x220 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist index 8571fa8da9..6d6e57c114 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist @@ -89,6 +89,9 @@ GLIBC_2.16 sys_errlist D 0x440 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist index 2a1b8e9f93..d6ab153e19 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist @@ -80,6 +80,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2.5 GLIBC_2.2.5 A _Exit F diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist index 13b1d91cf4..65bcead8bc 100644 --- a/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist @@ -2078,3 +2078,6 @@ GLIBC_2.16 xencrypt F xprt_register F xprt_unregister F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F |