From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vsu@altlinux.ru>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00
	autolearn=unavailable version=3.2.5
Date: Fri, 25 Sep 2009 13:24:03 +0400
From: Sergey Vlasov <vsu@altlinux.ru>
To: devel@lists.altlinux.org
Message-ID: <20090925092402.GA5880@newmaster.mivlgu.local>
Mail-Followup-To: devel@lists.altlinux.org
References: <cc557aab0909250038l20f2cdc3v9f89234b1732b2c@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK"
Content-Disposition: inline
In-Reply-To: <cc557aab0909250038l20f2cdc3v9f89234b1732b2c@mail.gmail.com>
Subject: Re: [devel] suid binaries and ELF Auxiliary Vectors
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
	<mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
	<mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2009 09:24:18 -0000
Archived-At: <http://lore.altlinux.org/devel/20090925092402.GA5880@newmaster.mivlgu.local/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>


--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 25, 2009 at 10:38:50AM +0300, Kirill A. Shutemov wrote:
> =ED=CF=D6=C5=D4 =CB=D4=CF-=CE=C9=C2=D5=C4=D8 =D0=CF=C4=D3=CB=C1=D6=C5=D4,=
 =D0=CF=DE=C5=CD=D5 suid'=D9=CA =C2=C9=CE=C1=D2=CE=C9=CB =D0=CF=CC=D5=DE=C1=
=C5=D4 =D0=D5=D3=D4=CF=CA
> auxv?

=EE=C1 =D3=C1=CD=CF=CD =C4=C5=CC=C5 =CF=CE =D0=CF=CC=D5=DE=C1=C5=D4 =CE=C5=
=D0=D5=D3=D4=CF=CA auxv, =CF=C4=CE=C1=CB=CF =C9=D3=D0=CF=CC=D8=DA=D5=C5=CD=
=D9=CA =C4=CC=D1 =D0=CF=C9=D3=CB=C1
auxv =CB=CF=C4 =D7 =DC=D4=C9=C8 =D5=D3=CC=CF=D7=C9=D1=C8 =CE=C5 =D2=C1=C2=
=CF=D4=C1=C5=D4.

> =ED=C1=CC=C5=CE=D8=CB=C9=CA testcase:
>=20
> #include <elf.h>
> #include <stdio.h>
> #include <unistd.h>
>=20
> int main(int argc, char **argv, char **envp)
> {
>         Elf32_auxv_t *auxv;
>         while(*envp++ !=3D NULL);
>=20
>         for (auxv =3D (Elf32_auxv_t *)envp; auxv->a_type !=3D AT_NULL; au=
xv++)
>                 printf("%d: 0x%08x\n", auxv->a_type, auxv->a_un.a_val);
>=20
>         printf("uid: %d\n", geteuid());
>=20
>         return 0;
> }
>=20
> =E4=CC=D1 x86_64, =C5=C7=CF =CE=D5=D6=CE=CF =CE=C5=CD=CE=CF=C7=CF =D0=CF=
=D0=D2=C1=D7=C9=D4=D8.
>=20
> =E5=D3=CC=C9 =D5 =C9=D3=D0=CF=CC=CE=D1=C5=CD=CF=C7=CF =C6=C1=CA=CC=C1 =CE=
=C5=D4 suid-=C2=C9=D4=C1(=C9=CC=C9 owner =3D=3D uid), =D4=CF auxv
> =D0=C5=DE=C1=D4=C1=C5=D4=D3=D1 =CE=CF=D2=CD=C1=CC=D8=CE=CF =C9=CE=C1=DE=
=C5 =D0=CF=CC=D5=DE=C1=C5=CD =D4=CF=CC=D8=CB=CF uid. =E5=D3=D4=D8 =C9=C4=C5=
=C9 =D0=CF=DE=C5=CD=D5?
> =E9 =C7=C4=C5 =CB=CF=C4 =CB=D4=CF=D2=D9=CA =DC=D4=CF =C4=C5=CC=C1=C5=D4?

glibc/elf/rtld.c:process_envvars() =D0=D2=C9 =DA=C1=D0=D5=D3=CB=C5 =D0=D2=
=CF=C7=D2=C1=CD=CD=D9 =D3 =D0=CF=D7=D9=DB=C5=CE=CE=D9=CD=C9
=D0=D2=C9=D7=C9=CC=C5=C7=C9=D1=CD=C9 (=D3 =D5=D3=D4=C1=CE=CF=D7=CC=C5=CE=CE=
=D9=CD =C6=CC=C1=C7=CF=CD __libc_enable_secure) =D5=C4=C1=CC=D1=C5=D4
=CE=C5=CB=CF=D4=CF=D2=D9=C5 =D0=C5=D2=C5=CD=C5=CE=CE=D9=C5 =CF=CB=D2=D5=D6=
=C5=CE=C9=D1 =D7=D9=DA=CF=D7=CF=CD unsetenv(), =D7 =D2=C5=DA=D5=CC=D8=D4=C1=
=D4=C5 =DE=C5=C7=CF
=D0=D2=CF=D3=D4=D9=CD =D0=CF=C9=D3=CB=CF=CD NULL =D7 envp =CE=C5 =D5=C4=C1=
=A3=D4=D3=D1 =CE=C1=CA=D4=C9 =CE=C1=DE=C1=CC=CF auxv.  =ED=CF=D6=CE=CF
=D0=CF=D0=D2=CF=C2=CF=D7=C1=D4=D8 =DA=C1=D0=D5=D3=D4=C9=D4=D8 SUID-=D0=D2=
=CF=C7=D2=C1=CD=CD=D5 =D3 =CF=DE=C9=DD=C5=CE=CE=D9=CD =CF=CB=D2=D5=D6=C5=CE=
=C9=C5=CD (=DE=C5=D2=C5=DA
"env -", =C9=CC=C9 =D1=D7=CE=CF =D5=C2=D2=C1=D7 =D4=CF=CC=D8=CB=CF =CD=C5=
=DB=C1=C0=DD=C9=C5 =D0=C5=D2=C5=CD=C5=CE=CE=D9=C5) - =D7 =DC=D4=CF=CD =D3=
=CC=D5=DE=C1=C5
=D0=CF=C9=D3=CB auxv =D0=D2=CF=C8=CF=C4=C9=D4 =C4=C1=D6=C5 =D0=D2=C9 =CE=C1=
=CC=C9=DE=C9=C9 SUID.  =EF=C2=D9=DE=CE=CF =CD=C5=DB=C1=C0=D4 =CB=C1=CB =CD=
=C9=CE=C9=CD=D5=CD
=D0=C5=D2=C5=CD=C5=CE=CE=D9=C5 PWD =C9 TMPDIR.

=E5=D3=CC=C9 =D0=D2=C5=C4=D0=CF=CC=CF=D6=C9=D4=D8, =DE=D4=CF auxv =CE=C5 =
=CD=CF=D6=C5=D4 =C2=D9=D4=D8 =D0=D5=D3=D4=D9=CD, =C9 =C9=D3=D0=CF=CC=D8=DA=
=D5=C5=D4=D3=D1
=D4=C5=CB=D5=DD=C1=D1 =D2=C5=C1=CC=C9=DA=C1=C3=C9=D1 unsetenv() =C9=DA glib=
c/elf/dl-environ.c (=C7=C4=C5 =C8=D7=CF=D3=D4
envp =C7=C1=D2=C1=CE=D4=C9=D2=CF=D7=C1=CE=CE=CF =DA=C1=D0=CF=CC=CE=D1=C5=D4=
=D3=D1 NULL =C4=C1=D6=C5 =D7 =D3=CC=D5=DE=C1=C5, =CB=CF=C7=C4=C1 =CF=C4=CE=
=CF=D7=D2=C5=CD=C5=CE=CE=CF
=D5=C4=C1=CC=D1=C5=D4=D3=D1 =CE=C5=D3=CB=CF=CC=D8=CB=CF =D0=C5=D2=C5=CD=C5=
=CE=CE=D9=C8 =D3 =CF=C4=C9=CE=C1=CB=CF=D7=D9=CD =C9=CD=C5=CE=C5=CD), =D2=C1=
=C2=CF=D4=C1=C5=D4
=D3=CC=C5=C4=D5=C0=DD=C9=CA hackaround:

	while(*envp++ !=3D NULL);
+	while (*envp =3D=3D NULL) ++envp;

(=C4=CF=C2=C1=D7=CC=D1=C5=D4=D3=D1 =D0=D2=CF=D0=D5=D3=CB =CC=C9=DB=CE=C9=C8=
 NULL).

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFKvIwyW82GfkQfsqIRAlCrAJ9QNJ0rKe90kAKf+vZD0y/vBYPEdQCeO71o
vIo7n4YfF6DGJcb9TqMSvIs=
=MhCw
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--