diff options
40 files changed, 446 insertions, 28 deletions
@@ -1,3 +1,66 @@ +2012-07-25 Florian Weimer <fweimer@redhat.com> + + * Versions.def: Add GLIBC_2.17. + + * stdlib/stdlib.h: Rename __secure_getenv to secure_getenv. + * include/stdlib.h: Rename __secure_getenv to secure_getenv. + Introduce __libc_secure_getenv. + * stdlib/Versions: Add secure_getenv and __libc_secure_getenv. + * stdlib/secure-getenv.c: Likewise. Update copyright years. + * stdlib/tst-secure-getenv.c: New. + * stdlib/Makefile (tests): Add testcase. + + * manual/startup.texi (Environment Access): Document + secure_getenv. + + * hesiod/hesiod.c (hesiod_init): Rename __secure_getenv to + __libc_secure_getenv. + * inet/ruserpass.c (ruserpass): Likewise. + * malloc/mtrace.c (mtrace): Likewise. + * sysdeps/mach/hurd/tmpfile.c (__tmpfile): Likewise. + * sysdeps/posix/libc_fatal.c (__libc_fatal): Likewise. Update + copyright years. + * sysdeps/posix/sysconf.c (__sysconf__check_spec): Likewise. + * sysdeps/posix/tempname.c: Likewise. Evaluate + HAVE_SECURE_GETENV. + * sysdeps/unix/sysv/linux/libc_fatal.c (__libc_message): Rename + __secure_getenv to __libc_secure_getenv. Update copyright years. + + * sysdeps/unix/sysv/linux/i386/nptl/libc.abilist: Add secure_getenv. + * sysdeps/unix/sysv/linux/libc_fatal.c: Likewise. + * sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist: + Likewise. + * sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist: + Likewise. + * sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sh/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist: Likewise. + * sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist: Likewise. + * ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist: + Likewise. + * ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist: + Likewise. + 2012-07-25 Joseph Myers <joseph@codesourcery.com> * sysdeps/generic/ldsodefs.h (struct La_i86_regs): Remove. @@ -17,6 +17,10 @@ Version 2.17 zEnterprise z196. Implemented by Andreas Krebbel. +* The new function secure_getenv allows secure access to the environment, + returning NULL if running in a SUID/SGID process. This function replaces + the internal function __secure_getenv. + Version 2.16 diff --git a/Versions.def b/Versions.def index 2b44f5e..3c9e0ae 100644 --- a/Versions.def +++ b/Versions.def @@ -33,6 +33,7 @@ libc { GLIBC_2.14 GLIBC_2.15 GLIBC_2.16 + GLIBC_2.17 HURD_CTHREADS_0.3 %ifdef EXPORT_UNWIND_FIND_FDE GCC_3.0 diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c index a3f22e5..657dabe 100644 --- a/hesiod/hesiod.c +++ b/hesiod/hesiod.c @@ -87,7 +87,7 @@ hesiod_init(void **context) { ctx->classes[0] = C_IN; ctx->classes[1] = C_HS; - configname = __secure_getenv("HESIOD_CONFIG"); + configname = __libc_secure_getenv("HESIOD_CONFIG"); if (!configname) configname = _PATH_HESIOD_CONF; if (parse_config_file(ctx, configname) < 0) { @@ -109,7 +109,7 @@ hesiod_init(void **context) { * The default RHS can be overridden by an environment * variable. */ - if ((cp = __secure_getenv("HES_DOMAIN")) != NULL) { + if ((cp = __libc_secure_getenv("HES_DOMAIN")) != NULL) { free(ctx->RHS); ctx->RHS = malloc(strlen(cp)+2); if (!ctx->RHS) diff --git a/include/stdlib.h b/include/stdlib.h index de0b414..d45b2f0 100644 --- a/include/stdlib.h +++ b/include/stdlib.h @@ -33,12 +33,13 @@ libc_hidden_proto (__strtold_l) libc_hidden_proto (exit) libc_hidden_proto (abort) libc_hidden_proto (getenv) +extern __typeof (secure_getenv) __libc_secure_getenv; +libc_hidden_proto (__libc_secure_getenv) libc_hidden_proto (bsearch) libc_hidden_proto (qsort) libc_hidden_proto (qsort_r) libc_hidden_proto (lrand48_r) libc_hidden_proto (wctomb) -libc_hidden_proto (__secure_getenv) extern long int __random (void); extern void __srandom (unsigned int __seed); diff --git a/inet/ruserpass.c b/inet/ruserpass.c index df423ba..71a734d 100644 --- a/inet/ruserpass.c +++ b/inet/ruserpass.c @@ -102,7 +102,7 @@ ruserpass(host, aname, apass) int t, usedefault = 0; struct stat64 stb; - hdir = __secure_getenv("HOME"); + hdir = __libc_secure_getenv("HOME"); if (hdir == NULL) { /* If we can't get HOME, fail instead of trying ".", which is no improvement. This really should call diff --git a/malloc/mtrace.c b/malloc/mtrace.c index d1049c9..d7a032a 100644 --- a/malloc/mtrace.c +++ b/malloc/mtrace.c @@ -309,7 +309,7 @@ mtrace () /* When compiling the GNU libc we use the secure getenv function which prevents the misuse in case of SUID or SGID enabled programs. */ - mallfile = __secure_getenv (mallenv); + mallfile = __libc_secure_getenv (mallenv); #else mallfile = getenv (mallenv); #endif diff --git a/manual/startup.texi b/manual/startup.texi index 0420e93..d0be5e6 100644 --- a/manual/startup.texi +++ b/manual/startup.texi @@ -310,11 +310,15 @@ character, since this is assumed to terminate the string. The value of an environment variable can be accessed with the @code{getenv} function. This is declared in the header file -@file{stdlib.h}. Modifications of enviroment variables are not -allowed in Multi-threaded programs. The @code{getenv} function -can be safely used in multi-threaded programs +@file{stdlib.h}. @pindex stdlib.h +Libraries should use @code{secure_getenv} instead of @code{getenv}, so +that they do not accidentally use untrusted environment variables. +Modifications of environment variables are not allowed in +multi-threaded programs. The @code{getenv} and @code{secure_getenv} +functions can be safely used in multi-threaded programs. + @comment stdlib.h @comment ISO @deftypefun {char *} getenv (const char *@var{name}) @@ -326,6 +330,18 @@ environment variable @var{name} is not defined, the value is a null pointer. @end deftypefun +@comment stdlib.h +@comment GNU +@deftypefun {char *} secure_getenv (const char *@var{name}) +This function is similar to @code{getenv}, but it returns a null +pointer if the environment is untrusted. This happens when the +program file has SUID or SGID bits set. General-purpose libraries +should always prefer this function over @code{getenv} to avoid +vulnerabilities if the library is referenced from a SUID/SGID program. + +This function is a GNU extension. +@end deftypefun + @comment stdlib.h @comment SVID diff --git a/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist index 6d333aa..f8a3295 100644 --- a/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/alpha/nptl/libc.abilist @@ -1811,6 +1811,9 @@ GLIBC_2.16 sys_errlist D 0x460 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist index 1f496fb..5523fdd 100644 --- a/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/arm/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.4 GLIBC_2.4 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist index 6939ad7..b73f5ca 100644 --- a/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/ia64/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist index ca31ead..9a92457 100644 --- a/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/m68k/coldfire/nptl/libc.abilist @@ -79,6 +79,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.4 GLIBC_2.4 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist index c2706f1..fbcd208 100644 --- a/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/m68k/m680x0/nptl/libc.abilist @@ -1767,6 +1767,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist index 80f7d33..54e8d1a 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips32/nptl/libc.abilist @@ -2242,3 +2242,6 @@ GLIBC_2.9 pipe2 F _gp_disp _gp_disp A +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist index 6d64e1d..2a0e2a2 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips64/n32/nptl/libc.abilist @@ -1390,6 +1390,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist index 701152e..0e21194 100644 --- a/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/mips/mips64/n64/nptl/libc.abilist @@ -1388,6 +1388,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist index 43015f4..11ad6a5 100644 --- a/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/nptl/libc.abilist @@ -1772,6 +1772,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist index eed3b49..48f0c69 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist index 2dbce23..3aa70a1 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist b/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist index eed3b49..48f0c69 100644 --- a/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist +++ b/ports/sysdeps/unix/sysv/linux/tile/tilepro/nptl/libc.abilist @@ -2080,3 +2080,6 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F diff --git a/stdlib/Makefile b/stdlib/Makefile index f7811c5..10674f2 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -68,7 +68,9 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ tst-makecontext2 tst-strtod6 tst-unsetenv1 \ - tst-makecontext3 bug-getcontext bug-fmtmsg1 + tst-makecontext3 bug-getcontext bug-fmtmsg1 \ + tst-secure-getenv +tests-static := tst-secure-getenv include ../Makeconfig diff --git a/stdlib/Versions b/stdlib/Versions index 2aa396e..250bd5f 100644 --- a/stdlib/Versions +++ b/stdlib/Versions @@ -6,7 +6,7 @@ libc { # functions used in inline functions or macros __strto*_internal; - # functions used in other libraries + # compatibility symbol __secure_getenv; # a* @@ -103,11 +103,16 @@ libc { GLIBC_2.13 { __fentry__; } + GLIBC_2.17 { + secure_getenv; + } GLIBC_PRIVATE { # functions which have an additional interface since they are # are cancelable. __libc_system; # Variable which needs a dynamic symbol table entry. __abort_msg; + # Used from other libraries + __libc_secure_getenv; } } diff --git a/stdlib/secure-getenv.c b/stdlib/secure-getenv.c index f64759f..2e696e9 100644 --- a/stdlib/secure-getenv.c +++ b/stdlib/secure-getenv.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991, 1992, 1994, 1996, 2002 Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -18,13 +18,20 @@ #include <stdlib.h> #include <unistd.h> +#include <shlib-compat.h> + /* Some programs and especially the libc itself have to be careful what values to accept from the environment. This special version checks for SUID or SGID first before doing any work. */ char * -__secure_getenv (name) +__libc_secure_getenv (name) const char *name; { return __libc_enable_secure ? NULL : getenv (name); } -libc_hidden_def (__secure_getenv) +weak_alias (__libc_secure_getenv, secure_getenv) +libc_hidden_weak (__libc_secure_getenv) + +#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_16) +compat_symbol (libc, __libc_secure_getenv, __secure_getenv, GLIBC_2_0); +#endif diff --git a/stdlib/stdlib.h b/stdlib/stdlib.h index f652eda..cf3f39c 100644 --- a/stdlib/stdlib.h +++ b/stdlib/stdlib.h @@ -568,10 +568,12 @@ __BEGIN_NAMESPACE_STD extern char *getenv (const char *__name) __THROW __nonnull ((1)) __wur; __END_NAMESPACE_STD +#ifdef __USE_GNU /* This function is similar to the above but returns NULL if the programs is running with SUID or SGID enabled. */ -extern char *__secure_getenv (const char *__name) +extern char *secure_getenv (const char *__name) __THROW __nonnull ((1)) __wur; +#endif #if defined __USE_SVID || defined __USE_XOPEN /* The SVID says this is in <stdio.h>, but this seems a better place. */ diff --git a/stdlib/tst-secure-getenv.c b/stdlib/tst-secure-getenv.c new file mode 100644 index 0000000..76d8de6 --- /dev/null +++ b/stdlib/tst-secure-getenv.c @@ -0,0 +1,250 @@ +/* Copyright (C) 2012 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +/* Test that secure_getenv works by invoking the test as a SGID + program with a group ID from the supplementary group list. This + test can fail spuriously if the user is not a member of a suitable + supplementary group. */ + +#include <errno.h> +#include <fcntl.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <unistd.h> + +static char MAGIC_ARGUMENT[] = "run-actual-test"; +#define MAGIC_STATUS 19 + +static const char *test_dir; + +/* Return a GID which is not our current GID, but is present in the + supplementary group list. */ +static gid_t +choose_gid (void) +{ + const int count = 64; + gid_t groups[count]; + int ret = getgroups (count, groups); + if (ret < 0) + { + perror ("getgroups"); + exit (1); + } + gid_t current = getgid (); + for (int i = 0; i < ret; ++i) + { + if (groups[i] != current) + return groups[i]; + } + return 0; +} + + +/* Copies the executable into a restricted directory, so that we can + safely make it SGID with the TARGET group ID. Then runs the + executable. */ +static int +run_executable_sgid (gid_t target) +{ + char *dirname = 0; + char *execname = 0; + int infd = -1; + int outfd = -1; + int ret = -1; + if (asprintf (&dirname, "%s/secure-getenv.%jd", + test_dir, (intmax_t) getpid ()) < 0) + { + perror ("asprintf"); + goto err; + } + if (mkdir (dirname, 0700) < 0) + { + perror ("mkdir"); + goto err; + } + if (asprintf (&execname, "%s/bin", dirname) < 0) + { + perror ("asprintf"); + goto err; + } + infd = open ("/proc/self/exe", O_RDONLY); + if (infd < 0) + { + perror ("open"); + goto err; + } + outfd = open (execname, O_WRONLY | O_CREAT | O_EXCL, 0700); + if (outfd < 0) + { + perror ("open"); + goto err; + } + char buf[4096]; + for (;;) + { + ssize_t rdcount = read (infd, buf, sizeof (buf)); + if (rdcount < 0) + { + perror ("read"); + goto err; + } + if (rdcount == 0) + break; + char *p = buf; + char *end = buf + rdcount; + while (p != end) + { + ssize_t wrcount = write (outfd, buf, end - p); + if (wrcount == 0) + errno = ENOSPC; + if (wrcount <= 0) + { + perror ("write"); + goto err; + } + p += wrcount; + } + } + if (fchown (outfd, getuid (), target) < 0) + { + perror ("fchown"); + goto err; + } + if (fchmod (outfd, 02750) < 0) + { + perror ("fchmod"); + goto err; + } + if (close (outfd) < 0) + { + perror ("close"); + goto err; + } + if (close (infd) < 0) + { + perror ("close"); + goto err; + } + + int kid = fork (); + if (kid < 0) + { + perror ("fork"); + goto err; + } + if (kid == 0) + { + /* Child process. */ + char *args[] = { execname, MAGIC_ARGUMENT, NULL }; + execve (execname, args, environ); + perror ("execve"); + _exit (1); + } + int status; + if (waitpid (kid, &status, 0) < 0) + { + perror ("waitpid"); + goto err; + } + if (!WIFEXITED (status) || WEXITSTATUS (status) != MAGIC_STATUS) + { + fprintf (stderr, "Unexpected exit status %d from child process\n", + status); + goto err; + } + ret = 0; + +err: + if (outfd >= 0) + close (outfd); + if (infd >= 0) + close (infd); + if (execname) + { + unlink (execname); + free (execname); + } + if (dirname) + { + rmdir (dirname); + free (dirname); + } + return ret; +} + +static int +do_test (void) +{ + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set\n"); + exit (1); + } + if (secure_getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH not set according to secure_getenv\n"); + exit (1); + } + if (strcmp (getenv ("PATH"), secure_getenv ("PATH")) != 0) + { + fprintf (stderr, "PATH mismatch (%s, %s)\n", + getenv ("PATH"), secure_getenv ("PATH")); + exit (1); + } + + gid_t target = choose_gid (); + if (target == 0) + { + fprintf (stderr, "Could not find a suitable GID user %jd\n", + (intmax_t) getuid ()); + exit (1); + } + return run_executable_sgid (target); +} + +static void +alternative_main (int argc, char **argv) +{ + if (argc == 2 && strcmp (argv[1], MAGIC_ARGUMENT) == 0) + { + if (getgid () == getegid ()) + { + fprintf (stderr, "SGID failed: GID and EGID match (%jd)\n", + (intmax_t) getgid ()); + exit (2); + } + if (getenv ("PATH") == NULL) + { + fprintf (stderr, "PATH variable not present\n"); + exit (3); + } + if (secure_getenv ("PATH") != NULL) + { + fprintf (stderr, "PATH variable not filtered out\n"); + exit (4); + } + exit (MAGIC_STATUS); + } +} + +#define PREPARE(argc, argv) alternative_main(argc, argv) +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/sysdeps/mach/hurd/tmpfile.c b/sysdeps/mach/hurd/tmpfile.c index 94b1380..c2aa764 100644 --- a/sysdeps/mach/hurd/tmpfile.c +++ b/sysdeps/mach/hurd/tmpfile.c @@ -37,7 +37,7 @@ __tmpfile (void) FILE *f; /* Get a port to the directory that will contain the file. */ - const char *dirname = __secure_getenv ("TMPDIR") ?: P_tmpdir; + const char *dirname = __libc_secure_getenv ("TMPDIR") ?: P_tmpdir; file_t dir = __file_name_lookup (dirname, 0, 0); if (dir == MACH_PORT_NULL) return NULL; diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c index 62acb9b..6b74129 100644 --- a/sysdeps/posix/libc_fatal.c +++ b/sysdeps/posix/libc_fatal.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1993-1995,1997,2000,2004,2005,2009,2011 - Free Software Foundation, Inc. +/* Copyright (C) 1993-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -61,7 +60,7 @@ __libc_message (int do_abort, const char *fmt, ...) /* Open a descriptor for /dev/tty unless the user explicitly requests errors on standard error. */ - const char *on_2 = __secure_getenv ("LIBC_FATAL_STDERR_"); + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); if (on_2 == NULL || *on_2 == '\0') fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); diff --git a/sysdeps/posix/sysconf.c b/sysdeps/posix/sysconf.c index 1f988d5..d9b3c83 100644 --- a/sysdeps/posix/sysconf.c +++ b/sysdeps/posix/sysconf.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1991,1993,1995-1997,1999-2003,2004,2006,2009 - Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -1259,7 +1258,7 @@ __sysconf_check_spec (const char *spec) { int save_errno = errno; - const char *getconf_dir = __secure_getenv ("GETCONF_DIR") ?: GETCONF_DIR; + const char *getconf_dir = __libc_secure_getenv ("GETCONF_DIR") ?: GETCONF_DIR; size_t getconf_dirlen = strlen (getconf_dir); size_t speclen = strlen (spec); diff --git a/sysdeps/posix/tempname.c b/sysdeps/posix/tempname.c index a98f1d6..2f0bfef 100644 --- a/sysdeps/posix/tempname.c +++ b/sysdeps/posix/tempname.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991-2001, 2006, 2007, 2009 Free Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -101,8 +101,12 @@ # define __xstat64(version, path, buf) stat (path, buf) #endif -#if ! (HAVE___SECURE_GETENV || _LIBC) -# define __secure_getenv getenv +#if ! (HAVE_SECURE_GETENV || _LIBC) +# ifdef HAVE___SECURE_GETENV +# define __libc_secure_getenv __secure_getenv +# else +# define __libc_secure_getenv getenv +# endif #endif #ifdef _LIBC @@ -168,7 +172,7 @@ __path_search (char *tmpl, size_t tmpl_len, const char *dir, const char *pfx, if (try_tmpdir) { - d = __secure_getenv ("TMPDIR"); + d = __libc_secure_getenv ("TMPDIR"); if (d != NULL && direxists (d)) dir = d; else if (dir != NULL && direxists (dir)) diff --git a/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist b/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist index d6695eb..0e8576f 100644 --- a/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/i386/nptl/libc.abilist @@ -1811,6 +1811,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/libc_fatal.c b/sysdeps/unix/sysv/linux/libc_fatal.c index 58a5a7f8..6cc96d7 100644 --- a/sysdeps/unix/sysv/linux/libc_fatal.c +++ b/sysdeps/unix/sysv/linux/libc_fatal.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1993-1995,1997,2000,2002-2005,2009,2011 - Free Software Foundation, Inc. +/* Copyright (C) 1993-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -64,7 +63,7 @@ __libc_message (int do_abort, const char *fmt, ...) /* Open a descriptor for /dev/tty unless the user explicitly requests errors on standard error. */ - const char *on_2 = __secure_getenv ("LIBC_FATAL_STDERR_"); + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); if (on_2 == NULL || *on_2 == '\0') fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist index 706d2a9..75123b9 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/nptl/libc.abilist @@ -1772,6 +1772,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist index a0d362e..e2484d3 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/nptl/libc.abilist @@ -78,6 +78,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.3 GLIBC_2.3 A _Exit F diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist index d565601..ff0b82f 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-32/nptl/libc.abilist @@ -1763,6 +1763,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist index f161a51..2fb0786 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-64/nptl/libc.abilist @@ -84,6 +84,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist index c474f41..3fd150e 100644 --- a/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sh/nptl/libc.abilist @@ -84,6 +84,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist index 1804348..7d5a342 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc32/nptl/libc.abilist @@ -1768,6 +1768,9 @@ GLIBC_2.16 sys_errlist D 0x220 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _IO_adjust_wcolumn F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist index 8571fa8..6d6e57c 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc64/nptl/libc.abilist @@ -89,6 +89,9 @@ GLIBC_2.16 sys_errlist D 0x440 sys_nerr D 0x4 timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2 GLIBC_2.2 A _Exit F diff --git a/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist index 2a1b8e9..d6ab153 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/64/nptl/libc.abilist @@ -80,6 +80,9 @@ GLIBC_2.16 mbrtoc16 F mbrtoc32 F timespec_get F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F GLIBC_2.2.5 GLIBC_2.2.5 A _Exit F diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist index 13b1d91..65bcead 100644 --- a/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/x32/nptl/libc.abilist @@ -2078,3 +2078,6 @@ GLIBC_2.16 xencrypt F xprt_register F xprt_unregister F +GLIBC_2.17 + GLIBC_2.17 A + secure_getenv F |