From 9c96c87d60eafa4d78406e606e92b42bd4b570ad Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella Date: Mon, 6 Nov 2023 17:25:36 -0300 Subject: elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar Reviewed-by: DJ Delorie --- manual/README.tunables | 9 --------- 1 file changed, 9 deletions(-) (limited to 'manual/README.tunables') diff --git a/manual/README.tunables b/manual/README.tunables index 605ddd7..72ae00d 100644 --- a/manual/README.tunables +++ b/manual/README.tunables @@ -59,15 +59,6 @@ The list of allowed attributes are: - env_alias: An alias environment variable -- security_level: Specify security level of the tunable for AT_SECURE - binaries. Valid values are: - - SXID_ERASE: (default) Do not read and do not pass on to - child processes. - SXID_IGNORE: Do not read, but retain for non-AT_SECURE - child processes. - NONE: Read all the time. - 2. Use TUNABLE_GET/TUNABLE_SET/TUNABLE_SET_WITH_BOUNDS to get and set tunables. 3. OPTIONAL: If tunables in a namespace are being used multiple times within a -- cgit v1.1