aboutsummaryrefslogtreecommitdiff
path: root/manual
diff options
context:
space:
mode:
authorAdhemerval Zanella <adhemerval.zanella@linaro.org>2023-11-06 17:25:36 -0300
committerAdhemerval Zanella <adhemerval.zanella@linaro.org>2023-11-21 16:15:42 -0300
commit9c96c87d60eafa4d78406e606e92b42bd4b570ad (patch)
treef2b1db62e65cdf8cae4e058bea8e40aae847dc16 /manual
parenta72a4eb10b2d9aef7a53f9d2facf166a685d85fb (diff)
downloadglibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.zip
glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.gz
glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.bz2
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'manual')
-rw-r--r--manual/README.tunables9
1 files changed, 0 insertions, 9 deletions
diff --git a/manual/README.tunables b/manual/README.tunables
index 605ddd7..72ae00d 100644
--- a/manual/README.tunables
+++ b/manual/README.tunables
@@ -59,15 +59,6 @@ The list of allowed attributes are:
- env_alias: An alias environment variable
-- security_level: Specify security level of the tunable for AT_SECURE
- binaries. Valid values are:
-
- SXID_ERASE: (default) Do not read and do not pass on to
- child processes.
- SXID_IGNORE: Do not read, but retain for non-AT_SECURE
- child processes.
- NONE: Read all the time.
-
2. Use TUNABLE_GET/TUNABLE_SET/TUNABLE_SET_WITH_BOUNDS to get and set tunables.
3. OPTIONAL: If tunables in a namespace are being used multiple times within a