[patch] ld.so.8: outline missed cases of secure run

[patch] ld.so.8: outline missed cases of secure run

[Maria Guseva]

Hello,

For the purpose of security many ld.so options(e.g. --inhibit-rpath,
LD_LIBRARY_PATH and others) are disabled for secure types of programs.
Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
However according to GNU libc sources there could be other cases where
__libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
auxiliary vector:

elf/dl-sysdep.c:148
      case AT_SECURE:
#ifndef HAVE_AUX_SECURE
    seen = -1;
#endif
    __libc_enable_secure = av->a_un.a_val;


So I suggest ld.so man page should reflect this. The man3/getauxval.3 page
already covers this.    
Proposed patch is below. Maybe it also worth mentioning the particular case
of binary files with capabilities as it's done on getauxval.3 page.

diff --git a/man8/ld.so.8 b/man8/ld.so.8
index 8d8a759..686a0e4 100644
--- a/man8/ld.so.8
+++ b/man8/ld.so.8
@@ -62,8 +62,8 @@ Use of DT_RPATH is deprecated.
 .IP o
 Using the environment variable
 .BR LD_LIBRARY_PATH .
-Except if the executable is a set-user-ID/set-group-ID binary,
-in which case it is ignored.
+Except if the executable is a set-user-ID/set-group-ID binary or has a
non-zero
+AT_SECURE value in auxiliary vector, in which cases it is ignored.
 .IP o
 (ELF only) Using the directories specified in the
 DT_RUNPATH dynamic section attribute
@@ -168,7 +168,8 @@ Ignore RPATH and RUNPATH information in object names in
 .IR list .
 This option is ignored if
 .B ld.so
-is set-user-ID or set-group-ID.
+is set-user-ID or set-group-ID or has a non-zero AT_SECURE value
+in auxiliary vector.
 .TP
 .BI \-\-audit " list"
 Use objects named in
@@ -235,7 +236,8 @@ The items in the list are separated by either colons or
semicolons.
 Similar to the
 .B PATH
 environment variable.
-Ignored in set-user-ID and set-group-ID programs.
+Ignored in set-user-ID and set-group-ID programs and programs with a
non-zero
+AT_SECURE value in auxiliary vector.
 .TP
 .B LD_PRELOAD
 A list of additional, user-specified, ELF shared
@@ -243,7 +245,8 @@ objects to be loaded before all others.
 The items of the list can be separated by spaces or colons.
 This can be used to selectively override functions in other shared objects.
 The objects are searched for using the rules given under DESCRIPTION.
-For set-user-ID/set-group-ID ELF binaries,
+For set-user-ID/set-group-ID ELF binaries
+or programs with a non-zero AT_SECURE value in auxiliary vector,
 preload pathnames containing slashes are ignored,
 and shared objects in the standard search directories are loaded
 only if the set-user-ID mode bit is enabled on the shared object file.
@@ -282,7 +285,8 @@ to be loaded before all others in a separate linker
namespace
 would occur in the process).
 These objects can be used to audit the operation of the dynamic linker.
 .B LD_AUDIT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.

 The dynamic linker will notify the audit
 shared objects at so-called auditing checkpoints\(emfor example,
@@ -313,7 +317,8 @@ prints a help message about which categories can be
specified in this
 environment variable.
 Since glibc 2.3.4,
 .B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.
 .TP
 .B LD_DEBUG_OUTPUT
 (glibc since 2.1)
@@ -322,14 +327,16 @@ File in which
 output should be written.
 The default is standard error.
 .B LD_DEBUG_OUTPUT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.
 .TP
 .B LD_DYNAMIC_WEAK
 (glibc since 2.1.91)
 Allow weak symbols to be overridden (reverting to old glibc behavior).
 For security reasons, since glibc 2.3.4,
 .B LD_DYNAMIC_WEAK
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.
 .TP
 .B LD_HWCAP_MASK
 (glibc since 2.1)
@@ -350,7 +357,8 @@ version numbers.
 Path where the binary is found (for non-set-user-ID programs).
 For security reasons, since glibc 2.4,
 .B LD_ORIGIN_PATH
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.
 .\" Only used if $ORIGIN can't be determined by normal means
 .\" (from the origin path saved at load time, or from /proc/self/exe)?
 .TP
@@ -382,7 +390,8 @@ If this variable is not defined, or is defined as an
empty string,
 then the default is
 .IR /var/tmp .
 .B LD_PROFILE_OUTPUT
-is ignored for set-user-ID and set-group-ID programs,
+is ignored for set-user-ID and set-group-ID programs and programs with
+a non-zero AT_SECURE value in auxiliary vector,
 which always use
 .IR /var/profile .
 .TP
@@ -391,7 +400,8 @@ which always use
 Show auxiliary array passed up from the kernel.
 For security reasons, since glibc 2.3.5,
 .B LD_SHOW_AUXV
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored for set-user-ID/set-group-ID binaries and programs with
+a non-zero AT_SECURE value in auxiliary vector.
 .TP
 .B LD_TRACE_PRELINKING
 (glibc since 2.4)
@@ -421,7 +431,8 @@ If
 .B LD_USE_LOAD_BIAS
 is defined with the value 0,
 neither executables nor PIEs will honor the base addresses.
-This variable is ignored by set-user-ID and set-group-ID programs.
+This variable is ignored by set-user-ID and set-group-ID programs and
+programs with a non-zero AT_SECURE value in auxiliary vector.
 .TP
 .B LD_VERBOSE
 (glibc since 2.1)

Regards,
Maria

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] ld.so.8: outline missed cases of secure run

[Yury Gribov]

On 08/31/2015 07:12 PM, Maria Guseva wrote:
> Hello,
>
> For the purpose of security many ld.so options(e.g. --inhibit-rpath,
> LD_LIBRARY_PATH and others) are disabled for secure types of programs.
> Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
> However according to GNU libc sources there could be other cases where
> __libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
> auxiliary vector:

While at it, could you also mention that /etc/suid-debug enables 
LD_DEBUG for suids?

Best regards,
Yury Gribov

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] ld.so.8: outline missed cases of secure run

[Michael Kerrisk (man-pages)]

Hello Maria,

On 08/31/2015 06:12 PM, Maria Guseva wrote:
> Hello,
> 
> For the purpose of security many ld.so options(e.g. --inhibit-rpath,
> LD_LIBRARY_PATH and others) are disabled for secure types of programs.
> Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
> However according to GNU libc sources there could be other cases where
> __libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
> auxiliary vector:
> 
> elf/dl-sysdep.c:148
>       case AT_SECURE:
> #ifndef HAVE_AUX_SECURE
>     seen = -1;
> #endif
>     __libc_enable_secure = av->a_un.a_val;
> 
> 
> So I suggest ld.so man page should reflect this. The man3/getauxval.3 page
> already covers this.  

Thanks for raising this!

> Proposed patch is below. Maybe it also worth mentioning the particular case
> of binary files with capabilities as it's done on getauxval.3 page.
> 
> diff --git a/man8/ld.so.8 b/man8/ld.so.8
> index 8d8a759..686a0e4 100644
> --- a/man8/ld.so.8
> +++ b/man8/ld.so.8
> @@ -62,8 +62,8 @@ Use of DT_RPATH is deprecated.
>  .IP o
>  Using the environment variable
>  .BR LD_LIBRARY_PATH .
> -Except if the executable is a set-user-ID/set-group-ID binary,
> -in which case it is ignored.
> +Except if the executable is a set-user-ID/set-group-ID binary or has a
> non-zero
> +AT_SECURE value in auxiliary vector, in which cases it is ignored.
>  .IP o
>  (ELF only) Using the directories specified in the
>  DT_RUNPATH dynamic section attribute
> @@ -168,7 +168,8 @@ Ignore RPATH and RUNPATH information in object names in
>  .IR list .
>  This option is ignored if
>  .B ld.so
> -is set-user-ID or set-group-ID.
> +is set-user-ID or set-group-ID or has a non-zero AT_SECURE value
> +in auxiliary vector.
>  .TP
>  .BI \-\-audit " list"
>  Use objects named in
> @@ -235,7 +236,8 @@ The items in the list are separated by either colons or
> semicolons.
>  Similar to the
>  .B PATH
>  environment variable.
> -Ignored in set-user-ID and set-group-ID programs.
> +Ignored in set-user-ID and set-group-ID programs and programs with a
> non-zero
> +AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_PRELOAD
>  A list of additional, user-specified, ELF shared
> @@ -243,7 +245,8 @@ objects to be loaded before all others.
>  The items of the list can be separated by spaces or colons.
>  This can be used to selectively override functions in other shared objects.
>  The objects are searched for using the rules given under DESCRIPTION.
> -For set-user-ID/set-group-ID ELF binaries,
> +For set-user-ID/set-group-ID ELF binaries
> +or programs with a non-zero AT_SECURE value in auxiliary vector,
>  preload pathnames containing slashes are ignored,
>  and shared objects in the standard search directories are loaded
>  only if the set-user-ID mode bit is enabled on the shared object file.
> @@ -282,7 +285,8 @@ to be loaded before all others in a separate linker
> namespace
>  would occur in the process).
>  These objects can be used to audit the operation of the dynamic linker.
>  .B LD_AUDIT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
> 
>  The dynamic linker will notify the audit
>  shared objects at so-called auditing checkpoints\(emfor example,
> @@ -313,7 +317,8 @@ prints a help message about which categories can be
> specified in this
>  environment variable.
>  Since glibc 2.3.4,
>  .B LD_DEBUG
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_DEBUG_OUTPUT
>  (glibc since 2.1)
> @@ -322,14 +327,16 @@ File in which
>  output should be written.
>  The default is standard error.
>  .B LD_DEBUG_OUTPUT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_DYNAMIC_WEAK
>  (glibc since 2.1.91)
>  Allow weak symbols to be overridden (reverting to old glibc behavior).
>  For security reasons, since glibc 2.3.4,
>  .B LD_DYNAMIC_WEAK
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_HWCAP_MASK
>  (glibc since 2.1)
> @@ -350,7 +357,8 @@ version numbers.
>  Path where the binary is found (for non-set-user-ID programs).
>  For security reasons, since glibc 2.4,
>  .B LD_ORIGIN_PATH
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
>  .\" Only used if $ORIGIN can't be determined by normal means
>  .\" (from the origin path saved at load time, or from /proc/self/exe)?
>  .TP
> @@ -382,7 +390,8 @@ If this variable is not defined, or is defined as an
> empty string,
>  then the default is
>  .IR /var/tmp .
>  .B LD_PROFILE_OUTPUT
> -is ignored for set-user-ID and set-group-ID programs,
> +is ignored for set-user-ID and set-group-ID programs and programs with
> +a non-zero AT_SECURE value in auxiliary vector,
>  which always use
>  .IR /var/profile .
>  .TP
> @@ -391,7 +400,8 @@ which always use
>  Show auxiliary array passed up from the kernel.
>  For security reasons, since glibc 2.3.5,
>  .B LD_SHOW_AUXV
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored for set-user-ID/set-group-ID binaries and programs with
> +a non-zero AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_TRACE_PRELINKING
>  (glibc since 2.4)
> @@ -421,7 +431,8 @@ If
>  .B LD_USE_LOAD_BIAS
>  is defined with the value 0,
>  neither executables nor PIEs will honor the base addresses.
> -This variable is ignored by set-user-ID and set-group-ID programs.
> +This variable is ignored by set-user-ID and set-group-ID programs and
> +programs with a non-zero AT_SECURE value in auxiliary vector.
>  .TP
>  .B LD_VERBOSE
>  (glibc since 2.1)

I think the idea behind the patch is sound, but (1) a little more 
detail is needed (2) the formulation above suggests that 
AT_SECURE != 0 is a separate thing from set-UID/set-GID programs,
when in fact executing set-UID/set-GID programs is the most common
case where AT_SECURE is set, and (3) AT_SECURE can be set by other
means.

What do you think of the alternative patch below?

Thanks,

Michael


diff --git a/man8/ld.so.8 b/man8/ld.so.8
index 8d8a759..112406e 100644
--- a/man8/ld.so.8
+++ b/man8/ld.so.8
@@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not exist.
 Use of DT_RPATH is deprecated.
 .IP o
 Using the environment variable
-.BR LD_LIBRARY_PATH .
-Except if the executable is a set-user-ID/set-group-ID binary,
+.BR LD_LIBRARY_PATH
+(unless the executable is being run in secure-execution mode; see below).
 in which case it is ignored.
 .IP o
 (ELF only) Using the directories specified in the
@@ -166,15 +166,38 @@ environment variable setting (see below).
 .BI \-\-inhibit\-rpath " list"
 Ignore RPATH and RUNPATH information in object names in
 .IR list .
-This option is ignored if
-.B ld.so
-is set-user-ID or set-group-ID.
+This option is ignored if when running in secure-execution mode (see below).
 .TP
 .BI \-\-audit " list"
 Use objects named in
 .I list
 as auditors.
 .SH ENVIRONMENT
+Various environment variable influence the operation of the dynamic linker.
+.\"
+.SS Secure-execution mode
+For security reasons,
+the effects of some environment variables are voided or modified if
+the dynamic linker determines that the binary should be
+run in secure-execution mode.
+This determination is made by checking whether the
+.B AT_SECURE
+entry in the auxiliary vector (see
+.BR getauxval (3))
+has a nonzero value.
+This entry may have a nonzero value for various reasons, including:
+.IP * 3
+The process's real and effective user IDs differ,
+or the real and effective group IDs differ.
+This typically occurs as a result of executing 
+a set-user-ID or set-group-ID program.
+.IP *
+A process with a non-root user ID executed a binary that
+conferred permitted or effective capabilities.
+.IP *
+A nonzero value may have been set by a Linux Security Module.
+.\"
+.SS Environment variables
 Among the more important environment variables are the following:
 .TP
 .B LD_ASSUME_KERNEL
@@ -235,7 +258,7 @@ The items in the list are separated by either colons or semicolons.
 Similar to the
 .B PATH
 environment variable.
-Ignored in set-user-ID and set-group-ID programs.
+This variable is ignore in secure-execution mode.
 .TP
 .B LD_PRELOAD
 A list of additional, user-specified, ELF shared
@@ -243,7 +266,7 @@ objects to be loaded before all others.
 The items of the list can be separated by spaces or colons.
 This can be used to selectively override functions in other shared objects.
 The objects are searched for using the rules given under DESCRIPTION.
-For set-user-ID/set-group-ID ELF binaries,
+In secure-execution mode,
 preload pathnames containing slashes are ignored,
 and shared objects in the standard search directories are loaded
 only if the set-user-ID mode bit is enabled on the shared object file.
@@ -282,7 +305,7 @@ to be loaded before all others in a separate linker namespace
 would occur in the process).
 These objects can be used to audit the operation of the dynamic linker.
 .B LD_AUDIT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 
 The dynamic linker will notify the audit
 shared objects at so-called auditing checkpoints\(emfor example,
@@ -313,7 +336,7 @@ prints a help message about which categories can be specified in this
 environment variable.
 Since glibc 2.3.4,
 .B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_DEBUG_OUTPUT
 (glibc since 2.1)
@@ -322,14 +345,14 @@ File in which
 output should be written.
 The default is standard error.
 .B LD_DEBUG_OUTPUT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_DYNAMIC_WEAK
 (glibc since 2.1.91)
 Allow weak symbols to be overridden (reverting to old glibc behavior).
-For security reasons, since glibc 2.3.4,
+Since glibc 2.3.4,
 .B LD_DYNAMIC_WEAK
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_HWCAP_MASK
 (glibc since 2.1)
@@ -348,9 +371,9 @@ version numbers.
 .B LD_ORIGIN_PATH
 (glibc since 2.1)
 Path where the binary is found (for non-set-user-ID programs).
-For security reasons, since glibc 2.4,
+Since glibc 2.4,
 .B LD_ORIGIN_PATH
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .\" Only used if $ORIGIN can't be determined by normal means
 .\" (from the origin path saved at load time, or from /proc/self/exe)?
 .TP
@@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an empty string,
 then the default is
 .IR /var/tmp .
 .B LD_PROFILE_OUTPUT
-is ignored for set-user-ID and set-group-ID programs,
+is ignored in secure-execution mode.
 which always use
 .IR /var/profile .
 .TP
 .B LD_SHOW_AUXV
 (glibc since 2.1)
 Show auxiliary array passed up from the kernel.
-For security reasons, since glibc 2.3.5,
+Since glibc 2.3.5,
 .B LD_SHOW_AUXV
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_TRACE_PRELINKING
 (glibc since 2.4)
@@ -421,7 +444,7 @@ If
 .B LD_USE_LOAD_BIAS
 is defined with the value 0,
 neither executables nor PIEs will honor the base addresses.
-This variable is ignored by set-user-ID and set-group-ID programs.
+This variable is ignored in secure-execution mode.
 .TP
 .B LD_VERBOSE
 (glibc since 2.1)
@@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm
 .BR sprof (1),
 .BR dlopen (3),
 .BR getauxval (3),
+.BR capabilities (7),
 .BR rtld-audit (7),
 .BR ldconfig (8),
 .BR sln (8)




-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] ld.so.8: outline missed cases of secure run

[Michael Kerrisk (man-pages)]

Yury,

On 1 September 2015 at 09:18, Yury Gribov <y.gribov-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org> wrote:
> On 08/31/2015 07:12 PM, Maria Guseva wrote:
>>
>> Hello,
>>
>> For the purpose of security many ld.so options(e.g. --inhibit-rpath,
>> LD_LIBRARY_PATH and others) are disabled for secure types of programs.
>> Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
>> However according to GNU libc sources there could be other cases where
>> __libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
>> auxiliary vector:
>
>
> While at it, could you also mention that /etc/suid-debug enables LD_DEBUG
> for suids?

Does it? I can't see that in the glibc source. Am I missing something?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] ld.so.8: outline missed cases of secure run

[Yury Gribov]

On 09/14/2015 09:42 PM, Michael Kerrisk (man-pages) wrote:
> Yury,
>
> On 1 September 2015 at 09:18, Yury Gribov <y.gribov-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org> wrote:
>> On 08/31/2015 07:12 PM, Maria Guseva wrote:
>>>
>>> Hello,
>>>
>>> For the purpose of security many ld.so options(e.g. --inhibit-rpath,
>>> LD_LIBRARY_PATH and others) are disabled for secure types of programs.
>>> Current ld.so man page mentions them as set-user-ID/set-group-ID binaries.
>>> However according to GNU libc sources there could be other cases where
>>> __libc_enable_secure is set to non-zero -- when AT_SECURE value is set in
>>> auxiliary vector:
>>
>>
>> While at it, could you also mention that /etc/suid-debug enables LD_DEBUG
>> for suids?
>
> Does it? I can't see that in the glibc source. Am I missing something?

I was looking at process_envvars (in rtld.c): it resets dl_debug_mask 
for AT_SECURE binaries unless /etc/suid-debug exists.

-Y
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [patch] ld.so.8: outline missed cases of secure run

[Maria Guseva]

Hello Michael, Yury

> What do you think of the alternative patch below?
Thank you, the patch you proposed looks much better. 

>>> While at it, could you also mention that /etc/suid-debug enables 
>>> LD_DEBUG for suids?
>>
>> Does it? I can't see that in the glibc source. Am I missing something?

>I was looking at process_envvars (in rtld.c): it resets dl_debug_mask for
AT_SECURE binaries unless /etc/suid-debug exists.

So I think it should mentioned in LD_DEBUG environment variable description,
here:

.B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
+However, if the file
+.IR /etc/suid\-debug
+exists (the content of the file is irrelevant), then
+.BR LD_DEBUG
+has an effect in secure-execution mode.
.TP


Regards,
Maria

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [patch] ld.so.8: outline missed cases of secure run

[Maria Guseva]

Ping.

On 09/22/2015 11:58 AM, Maria Guseva wrote:

Hello Michael, Yury

> What do you think of the alternative patch below?
Thank you, the patch you proposed looks much better. 

>>> While at it, could you also mention that /etc/suid-debug enables 
>>> LD_DEBUG for suids?
>>
>> Does it? I can't see that in the glibc source. Am I missing something?

>I was looking at process_envvars (in rtld.c): it resets dl_debug_mask for
AT_SECURE binaries unless /etc/suid-debug exists.

So I think it should mentioned in LD_DEBUG environment variable description,
here:

.B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
+However, if the file
+.IR /etc/suid\-debug
+exists (the content of the file is irrelevant), then .BR LD_DEBUG has 
+an effect in secure-execution mode.
.TP


Regards,
Maria

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PING][patch] ld.so.8: outline missed cases of secure run

[Maria Guseva]

Gentle ping.

>Ping.

>On 09/22/2015 11:58 AM, Maria Guseva wrote:

>Hello Michael, Yury

>> What do you think of the alternative patch below?
>Thank you, the patch you proposed looks much better. 

>>>> While at it, could you also mention that /etc/suid-debug enables 
>>>> LD_DEBUG for suids?
>>>
>>> Does it? I can't see that in the glibc source. Am I missing something?

>>I was looking at process_envvars (in rtld.c): it resets dl_debug_mask for
AT_SECURE binaries unless /etc/suid-debug exists.

>So I think it should mentioned in LD_DEBUG environment variable
description, here:
> .B LD_DEBUG
>-is ignored for set-user-ID/set-group-ID binaries.
>+is ignored in secure-execution mode.
>+However, if the file
>+.IR /etc/suid\-debug
>+exists (the content of the file is irrelevant), then .BR LD_DEBUG has 
>+an effect in secure-execution mode.
> .TP


So find the final patch below:

diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644
--- a/man8/ld.so.8
+++ b/man8/ld.so.8
@@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not
exist.
 Use of DT_RPATH is deprecated.
 .IP o
 Using the environment variable
-.BR LD_LIBRARY_PATH .
-Except if the executable is a set-user-ID/set-group-ID binary,
+.BR LD_LIBRARY_PATH
+(unless the executable is being run in secure-execution mode; see below).
 in which case it is ignored.
 .IP o
 (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@
environment variable setting (see below).
 .BI \-\-inhibit\-rpath " list"
 Ignore RPATH and RUNPATH information in object names in  .IR list .
-This option is ignored if
-.B ld.so
-is set-user-ID or set-group-ID.
+This option is ignored if when running in secure-execution mode (see
below).
 .TP
 .BI \-\-audit " list"
 Use objects named in
 .I list
 as auditors.
 .SH ENVIRONMENT
+Various environment variable influence the operation of the dynamic linker.
+.\"
+.SS Secure-execution mode
+For security reasons,
+the effects of some environment variables are voided or modified if the 
+dynamic linker determines that the binary should be run in 
+secure-execution mode.
+This determination is made by checking whether the .B AT_SECURE entry 
+in the auxiliary vector (see .BR getauxval (3)) has a nonzero value.
+This entry may have a nonzero value for various reasons, including:
+.IP * 3
+The process's real and effective user IDs differ, or the real and 
+effective group IDs differ.
+This typically occurs as a result of executing a set-user-ID or 
+set-group-ID program.
+.IP *
+A process with a non-root user ID executed a binary that conferred 
+permitted or effective capabilities.
+.IP *
+A nonzero value may have been set by a Linux Security Module.
+.\"
+.SS Environment variables
 Among the more important environment variables are the following:
 .TP
 .B LD_ASSUME_KERNEL
@@ -235,7 +258,7 @@ The items in the list are separated by either colons or
semicolons.
 Similar to the
 .B PATH
 environment variable.
-Ignored in set-user-ID and set-group-ID programs.
+This variable is ignore in secure-execution mode.
 .TP
 .B LD_PRELOAD
 A list of additional, user-specified, ELF shared @@ -243,7 +266,7 @@
objects to be loaded before all others.
 The items of the list can be separated by spaces or colons.
 This can be used to selectively override functions in other shared objects.
 The objects are searched for using the rules given under DESCRIPTION.
-For set-user-ID/set-group-ID ELF binaries,
+In secure-execution mode,
 preload pathnames containing slashes are ignored,  and shared objects in
the standard search directories are loaded  only if the set-user-ID mode bit
is enabled on the shared object file.
@@ -282,7 +305,7 @@ to be loaded before all others in a separate linker
namespace  would occur in the process).
 These objects can be used to audit the operation of the dynamic linker.
 .B LD_AUDIT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 
 The dynamic linker will notify the audit  shared objects at so-called
auditing checkpoints\(emfor example, @@ -313,7 +336,7 @@ prints a help
message about which categories can be specified in this  environment
variable.
 Since glibc 2.3.4,
 .B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
+However, if the file
+.IR /etc/suid\-debug
+exists (the content of the file is irrelevant), then .BR LD_DEBUG has 
+an effect in secure-execution mode.
 .TP
.B LD_DEBUG_OUTPUT
 (glibc since 2.1)
@@ -322,14 +345,14 @@ File in which
 output should be written.
 The default is standard error.
 .B LD_DEBUG_OUTPUT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_DYNAMIC_WEAK
 (glibc since 2.1.91)
 Allow weak symbols to be overridden (reverting to old glibc behavior).
-For security reasons, since glibc 2.3.4,
+Since glibc 2.3.4,
 .B LD_DYNAMIC_WEAK
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_HWCAP_MASK
 (glibc since 2.1)
@@ -348,9 +371,9 @@ version numbers.
 .B LD_ORIGIN_PATH
 (glibc since 2.1)
 Path where the binary is found (for non-set-user-ID programs).
-For security reasons, since glibc 2.4,
+Since glibc 2.4,
 .B LD_ORIGIN_PATH
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .\" Only used if $ORIGIN can't be determined by normal means  .\" (from the
origin path saved at load time, or from /proc/self/exe)?
 .TP
@@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an
empty string,  then the default is  .IR /var/tmp .
 .B LD_PROFILE_OUTPUT
-is ignored for set-user-ID and set-group-ID programs,
+is ignored in secure-execution mode.
 which always use
 .IR /var/profile .
 .TP
 .B LD_SHOW_AUXV
 (glibc since 2.1)
 Show auxiliary array passed up from the kernel.
-For security reasons, since glibc 2.3.5,
+Since glibc 2.3.5,
 .B LD_SHOW_AUXV
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
 .TP
 .B LD_TRACE_PRELINKING
 (glibc since 2.4)
@@ -421,7 +444,7 @@ If
 .B LD_USE_LOAD_BIAS
 is defined with the value 0,
 neither executables nor PIEs will honor the base addresses.
-This variable is ignored by set-user-ID and set-group-ID programs.
+This variable is ignored in secure-execution mode.
 .TP
 .B LD_VERBOSE
 (glibc since 2.1)
@@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm
.BR sprof (1),  .BR dlopen (3),  .BR getauxval (3),
+.BR capabilities (7),
 .BR rtld-audit (7),
 .BR ldconfig (8),
 .BR sln (8)


Regards,
Maria

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PING][patch] ld.so.8: outline missed cases of secure run

[Silvan Jegen]

Hi

Please find below a few typos I found while looking at the text.

On Thu, Nov 26, 2015 at 10:43 AM, Maria Guseva <m.guseva-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org> wrote:
> So find the final patch below:
>
> diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644
> --- a/man8/ld.so.8
> +++ b/man8/ld.so.8
> @@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not
> exist.
>  Use of DT_RPATH is deprecated.
>  .IP o
>  Using the environment variable
> -.BR LD_LIBRARY_PATH .
> -Except if the executable is a set-user-ID/set-group-ID binary,
> +.BR LD_LIBRARY_PATH
> +(unless the executable is being run in secure-execution mode; see below).
>  in which case it is ignored.
>  .IP o
>  (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@
> environment variable setting (see below).
>  .BI \-\-inhibit\-rpath " list"
>  Ignore RPATH and RUNPATH information in object names in  .IR list .
> -This option is ignored if
> -.B ld.so
> -is set-user-ID or set-group-ID.
> +This option is ignored if when running in secure-execution mode (see
> below).

either "if" or "when", not both

>  .TP
>  .BI \-\-audit " list"
>  Use objects named in
>  .I list
>  as auditors.
>  .SH ENVIRONMENT
> +Various environment variable influence the operation of the dynamic linker.

s/variable/variables/

> +.\"
> +.SS Secure-execution mode
> +For security reasons,
> +the effects of some environment variables are voided or modified if the
> +dynamic linker determines that the binary should be run in
> +secure-execution mode.
> +This determination is made by checking whether the .B AT_SECURE entry
> +in the auxiliary vector (see .BR getauxval (3)) has a nonzero value.
> +This entry may have a nonzero value for various reasons, including:
> +.IP * 3
> +The process's real and effective user IDs differ, or the real and

I think one writes process' instead of process's if a possessive 's
follows an s at the end of the word.

> +effective group IDs differ.
> +This typically occurs as a result of executing a set-user-ID or
> +set-group-ID program.
> +.IP *
> +A process with a non-root user ID executed a binary that conferred
> +permitted or effective capabilities.
> +.IP *
> +A nonzero value may have been set by a Linux Security Module.
> +.\"
> +.SS Environment variables
>  Among the more important environment variables are the following:
>  .TP
>  .B LD_ASSUME_KERNEL
> @@ -235,7 +258,7 @@ The items in the list are separated by either colons or
> semicolons.
>  Similar to the
>  .B PATH
>  environment variable.
> -Ignored in set-user-ID and set-group-ID programs.
> +This variable is ignore in secure-execution mode.

s/ignore/ignored/

Thanks!


Cheers,

Silvan

>  .TP
>  .B LD_PRELOAD
>  A list of additional, user-specified, ELF shared @@ -243,7 +266,7 @@
> objects to be loaded before all others.
>  The items of the list can be separated by spaces or colons.
>  This can be used to selectively override functions in other shared objects.
>  The objects are searched for using the rules given under DESCRIPTION.
> -For set-user-ID/set-group-ID ELF binaries,
> +In secure-execution mode,
>  preload pathnames containing slashes are ignored,  and shared objects in
> the standard search directories are loaded  only if the set-user-ID mode bit
> is enabled on the shared object file.
> @@ -282,7 +305,7 @@ to be loaded before all others in a separate linker
> namespace  would occur in the process).
>  These objects can be used to audit the operation of the dynamic linker.
>  .B LD_AUDIT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>
>  The dynamic linker will notify the audit  shared objects at so-called
> auditing checkpoints\(emfor example, @@ -313,7 +336,7 @@ prints a help
> message about which categories can be specified in this  environment
> variable.
>  Since glibc 2.3.4,
>  .B LD_DEBUG
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
> +However, if the file
> +.IR /etc/suid\-debug
> +exists (the content of the file is irrelevant), then .BR LD_DEBUG has
> +an effect in secure-execution mode.
>  .TP
> .B LD_DEBUG_OUTPUT
>  (glibc since 2.1)
> @@ -322,14 +345,14 @@ File in which
>  output should be written.
>  The default is standard error.
>  .B LD_DEBUG_OUTPUT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_DYNAMIC_WEAK
>  (glibc since 2.1.91)
>  Allow weak symbols to be overridden (reverting to old glibc behavior).
> -For security reasons, since glibc 2.3.4,
> +Since glibc 2.3.4,
>  .B LD_DYNAMIC_WEAK
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_HWCAP_MASK
>  (glibc since 2.1)
> @@ -348,9 +371,9 @@ version numbers.
>  .B LD_ORIGIN_PATH
>  (glibc since 2.1)
>  Path where the binary is found (for non-set-user-ID programs).
> -For security reasons, since glibc 2.4,
> +Since glibc 2.4,
>  .B LD_ORIGIN_PATH
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .\" Only used if $ORIGIN can't be determined by normal means  .\" (from the
> origin path saved at load time, or from /proc/self/exe)?
>  .TP
> @@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an
> empty string,  then the default is  .IR /var/tmp .
>  .B LD_PROFILE_OUTPUT
> -is ignored for set-user-ID and set-group-ID programs,
> +is ignored in secure-execution mode.
>  which always use
>  .IR /var/profile .
>  .TP
>  .B LD_SHOW_AUXV
>  (glibc since 2.1)
>  Show auxiliary array passed up from the kernel.
> -For security reasons, since glibc 2.3.5,
> +Since glibc 2.3.5,
>  .B LD_SHOW_AUXV
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_TRACE_PRELINKING
>  (glibc since 2.4)
> @@ -421,7 +444,7 @@ If
>  .B LD_USE_LOAD_BIAS
>  is defined with the value 0,
>  neither executables nor PIEs will honor the base addresses.
> -This variable is ignored by set-user-ID and set-group-ID programs.
> +This variable is ignored in secure-execution mode.
>  .TP
>  .B LD_VERBOSE
>  (glibc since 2.1)
> @@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm
> .BR sprof (1),  .BR dlopen (3),  .BR getauxval (3),
> +.BR capabilities (7),
>  .BR rtld-audit (7),
>  .BR ldconfig (8),
>  .BR sln (8)
>
>
> Regards,
> Maria
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-man" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PING][patch] ld.so.8: outline missed cases of secure run

[Maria Guseva]

Hi Silvan!

Thank you very much for your comments. I've fixed the typos you've 
mentioned and also fixed some others I've found myself.

Please find updated patch below:

diff --git a/man8/ld.so.8 b/man8/ld.so.8
index 8d8a759..c57c0da 100644
--- a/man8/ld.so.8
+++ b/man8/ld.so.8
@@ -61,9 +61,8 @@ of the binary if present and DT_RUNPATH attribute does 
not exist.
  Use of DT_RPATH is deprecated.
  .IP o
  Using the environment variable
-.BR LD_LIBRARY_PATH .
-Except if the executable is a set-user-ID/set-group-ID binary,
-in which case it is ignored.
+.BR LD_LIBRARY_PATH
+(unless the executable is being run in secure-execution mode; see below).
  .IP o
  (ELF only) Using the directories specified in the
  DT_RUNPATH dynamic section attribute
@@ -166,15 +165,38 @@ environment variable setting (see below).
  .BI \-\-inhibit\-rpath " list"
  Ignore RPATH and RUNPATH information in object names in
  .IR list .
-This option is ignored if
-.B ld.so
-is set-user-ID or set-group-ID.
+This option is ignored if running in secure-execution mode (see below).
  .TP
  .BI \-\-audit " list"
  Use objects named in
  .I list
  as auditors.
  .SH ENVIRONMENT
+Various environment variables influence the operation of the dynamic 
linker.
+.\"
+.SS Secure-execution mode
+For security reasons,
+the effects of some environment variables are voided or modified if
+the dynamic linker determines that the binary should be
+run in secure-execution mode.
+This determination is made by checking whether the
+.B AT_SECURE
+entry in the auxiliary vector (see
+.BR getauxval (3))
+has a nonzero value.
+This entry may have a nonzero value for various reasons, including:
+.IP * 3
+The process' real and effective user IDs differ,
+or the real and effective group IDs differ.
+This typically occurs as a result of executing
+a set-user-ID or set-group-ID program.
+.IP *
+A process with a non-root user ID executed a binary that
+conferred permitted or effective capabilities.
+.IP *
+A nonzero value may have been set by a Linux Security Module.
+.\"
+.SS Environment variables
  Among the more important environment variables are the following:
  .TP
  .B LD_ASSUME_KERNEL
@@ -235,7 +257,7 @@ The items in the list are separated by either colons 
or semicolons.
  Similar to the
  .B PATH
  environment variable.
-Ignored in set-user-ID and set-group-ID programs.
+This variable is ignored in secure-execution mode.
  .TP
  .B LD_PRELOAD
  A list of additional, user-specified, ELF shared
@@ -243,7 +265,7 @@ objects to be loaded before all others.
  The items of the list can be separated by spaces or colons.
  This can be used to selectively override functions in other shared 
objects.
  The objects are searched for using the rules given under DESCRIPTION.
-For set-user-ID/set-group-ID ELF binaries,
+In secure-execution mode,
  preload pathnames containing slashes are ignored,
  and shared objects in the standard search directories are loaded
  only if the set-user-ID mode bit is enabled on the shared object file.
@@ -282,7 +304,7 @@ to be loaded before all others in a separate linker 
namespace
  would occur in the process).
  These objects can be used to audit the operation of the dynamic linker.
  .B LD_AUDIT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.

  The dynamic linker will notify the audit
  shared objects at so-called auditing checkpoints\(emfor example,
@@ -313,7 +335,12 @@ prints a help message about which categories can be 
specified in this
  environment variable.
  Since glibc 2.3.4,
  .B LD_DEBUG
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
+However, if the file
+.IR /etc/suid\-debug
+exists (the content of the file is irrelevant), then
+.BR LD_DEBUG
+has an effect in secure-execution mode.
  .TP
  .B LD_DEBUG_OUTPUT
  (glibc since 2.1)
@@ -322,14 +349,14 @@ File in which
  output should be written.
  The default is standard error.
  .B LD_DEBUG_OUTPUT
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
  .TP
  .B LD_DYNAMIC_WEAK
  (glibc since 2.1.91)
  Allow weak symbols to be overridden (reverting to old glibc behavior).
-For security reasons, since glibc 2.3.4,
+Since glibc 2.3.4,
  .B LD_DYNAMIC_WEAK
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
  .TP
  .B LD_HWCAP_MASK
  (glibc since 2.1)
@@ -348,9 +375,9 @@ version numbers.
  .B LD_ORIGIN_PATH
  (glibc since 2.1)
  Path where the binary is found (for non-set-user-ID programs).
-For security reasons, since glibc 2.4,
+Since glibc 2.4,
  .B LD_ORIGIN_PATH
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
  .\" Only used if $ORIGIN can't be determined by normal means
  .\" (from the origin path saved at load time, or from /proc/self/exe)?
  .TP
@@ -382,16 +409,16 @@ If this variable is not defined, or is defined as 
an empty string,
  then the default is
  .IR /var/tmp .
  .B LD_PROFILE_OUTPUT
-is ignored for set-user-ID and set-group-ID programs,
-which always use
-.IR /var/profile .
+is ignored in secure-execution mode when
+.IR /var/profile
+is always used.
  .TP
  .B LD_SHOW_AUXV
  (glibc since 2.1)
  Show auxiliary array passed up from the kernel.
-For security reasons, since glibc 2.3.5,
+Since glibc 2.3.5,
  .B LD_SHOW_AUXV
-is ignored for set-user-ID/set-group-ID binaries.
+is ignored in secure-execution mode.
  .TP
  .B LD_TRACE_PRELINKING
  (glibc since 2.4)
@@ -421,7 +448,7 @@ If
  .B LD_USE_LOAD_BIAS
  is defined with the value 0,
  neither executables nor PIEs will honor the base addresses.
-This variable is ignored by set-user-ID and set-group-ID programs.
+This variable is ignored in secure-execution mode.
  .TP
  .B LD_VERBOSE
  (glibc since 2.1)
@@ -507,6 +534,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm
  .BR sprof (1),
  .BR dlopen (3),
  .BR getauxval (3),
+.BR capabilities (7),
  .BR rtld-audit (7),
  .BR ldconfig (8),
  .BR sln (8)

-- 
Regards,
Maria

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PING][patch] ld.so.8: outline missed cases of secure run

[Michael Kerrisk (man-pages)]

On 11/26/2015 10:43 AM, Maria Guseva wrote:
> Gentle ping.
> 
>> Ping.
> 
>> On 09/22/2015 11:58 AM, Maria Guseva wrote:
> 
>> Hello Michael, Yury
> 
>>> What do you think of the alternative patch below?
>> Thank you, the patch you proposed looks much better. 

Sorry for the long delay in reply. I've merged my version of 
this patch now. Thanks for reviewing it.

Cheers,

Michael


>>>>> While at it, could you also mention that /etc/suid-debug enables 
>>>>> LD_DEBUG for suids?
>>>>
>>>> Does it? I can't see that in the glibc source. Am I missing something?
> 
>>> I was looking at process_envvars (in rtld.c): it resets dl_debug_mask for
> AT_SECURE binaries unless /etc/suid-debug exists.
> 
>> So I think it should mentioned in LD_DEBUG environment variable
> description, here:
>> .B LD_DEBUG
>> -is ignored for set-user-ID/set-group-ID binaries.
>> +is ignored in secure-execution mode.
>> +However, if the file
>> +.IR /etc/suid\-debug
>> +exists (the content of the file is irrelevant), then .BR LD_DEBUG has 
>> +an effect in secure-execution mode.
>> .TP
> 
> 
> So find the final patch below:
> 
> diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644
> --- a/man8/ld.so.8
> +++ b/man8/ld.so.8
> @@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not
> exist.
>  Use of DT_RPATH is deprecated.
>  .IP o
>  Using the environment variable
> -.BR LD_LIBRARY_PATH .
> -Except if the executable is a set-user-ID/set-group-ID binary,
> +.BR LD_LIBRARY_PATH
> +(unless the executable is being run in secure-execution mode; see below).
>  in which case it is ignored.
>  .IP o
>  (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@
> environment variable setting (see below).
>  .BI \-\-inhibit\-rpath " list"
>  Ignore RPATH and RUNPATH information in object names in  .IR list .
> -This option is ignored if
> -.B ld.so
> -is set-user-ID or set-group-ID.
> +This option is ignored if when running in secure-execution mode (see
> below).
>  .TP
>  .BI \-\-audit " list"
>  Use objects named in
>  .I list
>  as auditors.
>  .SH ENVIRONMENT
> +Various environment variable influence the operation of the dynamic linker.
> +.\"
> +.SS Secure-execution mode
> +For security reasons,
> +the effects of some environment variables are voided or modified if the 
> +dynamic linker determines that the binary should be run in 
> +secure-execution mode.
> +This determination is made by checking whether the .B AT_SECURE entry 
> +in the auxiliary vector (see .BR getauxval (3)) has a nonzero value.
> +This entry may have a nonzero value for various reasons, including:
> +.IP * 3
> +The process's real and effective user IDs differ, or the real and 
> +effective group IDs differ.
> +This typically occurs as a result of executing a set-user-ID or 
> +set-group-ID program.
> +.IP *
> +A process with a non-root user ID executed a binary that conferred 
> +permitted or effective capabilities.
> +.IP *
> +A nonzero value may have been set by a Linux Security Module.
> +.\"
> +.SS Environment variables
>  Among the more important environment variables are the following:
>  .TP
>  .B LD_ASSUME_KERNEL
> @@ -235,7 +258,7 @@ The items in the list are separated by either colons or
> semicolons.
>  Similar to the
>  .B PATH
>  environment variable.
> -Ignored in set-user-ID and set-group-ID programs.
> +This variable is ignore in secure-execution mode.
>  .TP
>  .B LD_PRELOAD
>  A list of additional, user-specified, ELF shared @@ -243,7 +266,7 @@
> objects to be loaded before all others.
>  The items of the list can be separated by spaces or colons.
>  This can be used to selectively override functions in other shared objects.
>  The objects are searched for using the rules given under DESCRIPTION.
> -For set-user-ID/set-group-ID ELF binaries,
> +In secure-execution mode,
>  preload pathnames containing slashes are ignored,  and shared objects in
> the standard search directories are loaded  only if the set-user-ID mode bit
> is enabled on the shared object file.
> @@ -282,7 +305,7 @@ to be loaded before all others in a separate linker
> namespace  would occur in the process).
>  These objects can be used to audit the operation of the dynamic linker.
>  .B LD_AUDIT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  
>  The dynamic linker will notify the audit  shared objects at so-called
> auditing checkpoints\(emfor example, @@ -313,7 +336,7 @@ prints a help
> message about which categories can be specified in this  environment
> variable.
>  Since glibc 2.3.4,
>  .B LD_DEBUG
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
> +However, if the file
> +.IR /etc/suid\-debug
> +exists (the content of the file is irrelevant), then .BR LD_DEBUG has 
> +an effect in secure-execution mode.
>  .TP
> .B LD_DEBUG_OUTPUT
>  (glibc since 2.1)
> @@ -322,14 +345,14 @@ File in which
>  output should be written.
>  The default is standard error.
>  .B LD_DEBUG_OUTPUT
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_DYNAMIC_WEAK
>  (glibc since 2.1.91)
>  Allow weak symbols to be overridden (reverting to old glibc behavior).
> -For security reasons, since glibc 2.3.4,
> +Since glibc 2.3.4,
>  .B LD_DYNAMIC_WEAK
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_HWCAP_MASK
>  (glibc since 2.1)
> @@ -348,9 +371,9 @@ version numbers.
>  .B LD_ORIGIN_PATH
>  (glibc since 2.1)
>  Path where the binary is found (for non-set-user-ID programs).
> -For security reasons, since glibc 2.4,
> +Since glibc 2.4,
>  .B LD_ORIGIN_PATH
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .\" Only used if $ORIGIN can't be determined by normal means  .\" (from the
> origin path saved at load time, or from /proc/self/exe)?
>  .TP
> @@ -382,16 +405,16 @@ If this variable is not defined, or is defined as an
> empty string,  then the default is  .IR /var/tmp .
>  .B LD_PROFILE_OUTPUT
> -is ignored for set-user-ID and set-group-ID programs,
> +is ignored in secure-execution mode.
>  which always use
>  .IR /var/profile .
>  .TP
>  .B LD_SHOW_AUXV
>  (glibc since 2.1)
>  Show auxiliary array passed up from the kernel.
> -For security reasons, since glibc 2.3.5,
> +Since glibc 2.3.5,
>  .B LD_SHOW_AUXV
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
>  .TP
>  .B LD_TRACE_PRELINKING
>  (glibc since 2.4)
> @@ -421,7 +444,7 @@ If
>  .B LD_USE_LOAD_BIAS
>  is defined with the value 0,
>  neither executables nor PIEs will honor the base addresses.
> -This variable is ignored by set-user-ID and set-group-ID programs.
> +This variable is ignored in secure-execution mode.
>  .TP
>  .B LD_VERBOSE
>  (glibc since 2.1)
> @@ -507,6 +530,7 @@ mtrr, pat, pbe, pge, pn, pse36, sep, ss, sse, sse2, tm
> .BR sprof (1),  .BR dlopen (3),  .BR getauxval (3),
> +.BR capabilities (7),
>  .BR rtld-audit (7),
>  .BR ldconfig (8),
>  .BR sln (8)
> 
> 
> Regards,
> Maria
> 
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PING][patch] ld.so.8: outline missed cases of secure run

[Michael Kerrisk (man-pages)]

Hello Silvan

On 11/26/2015 11:25 AM, Silvan Jegen wrote:
> Hi
> 
> Please find below a few typos I found while looking at the text.
> 
> On Thu, Nov 26, 2015 at 10:43 AM, Maria Guseva <m.guseva-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org> wrote:
>> So find the final patch below:
>>
>> diff --git a/man8/ld.so.8 b/man8/ld.so.8 index 8d8a759..112406e 100644
>> --- a/man8/ld.so.8
>> +++ b/man8/ld.so.8
>> @@ -61,8 +61,8 @@ of the binary if present and DT_RUNPATH attribute does not
>> exist.
>>  Use of DT_RPATH is deprecated.
>>  .IP o
>>  Using the environment variable
>> -.BR LD_LIBRARY_PATH .
>> -Except if the executable is a set-user-ID/set-group-ID binary,
>> +.BR LD_LIBRARY_PATH
>> +(unless the executable is being run in secure-execution mode; see below).
>>  in which case it is ignored.
>>  .IP o
>>  (ELF only) Using the directories specified in the @@ -166,15 +166,38 @@
>> environment variable setting (see below).
>>  .BI \-\-inhibit\-rpath " list"
>>  Ignore RPATH and RUNPATH information in object names in  .IR list .
>> -This option is ignored if
>> -.B ld.so
>> -is set-user-ID or set-group-ID.
>> +This option is ignored if when running in secure-execution mode (see
>> below).
> 
> either "if" or "when", not both

Yes.

>>  .TP
>>  .BI \-\-audit " list"
>>  Use objects named in
>>  .I list
>>  as auditors.
>>  .SH ENVIRONMENT
>> +Various environment variable influence the operation of the dynamic linker.
> 
> s/variable/variables/

Yes.

>> +.\"
>> +.SS Secure-execution mode
>> +For security reasons,
>> +the effects of some environment variables are voided or modified if the
>> +dynamic linker determines that the binary should be run in
>> +secure-execution mode.
>> +This determination is made by checking whether the .B AT_SECURE entry
>> +in the auxiliary vector (see .BR getauxval (3)) has a nonzero value.
>> +This entry may have a nonzero value for various reasons, including:
>> +.IP * 3
>> +The process's real and effective user IDs differ, or the real and
> 
> I think one writes process' instead of process's if a possessive 's
> follows an s at the end of the word.

"process's" works okay for me.

Cheers,

Michael


--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PING][patch] ld.so.8: outline missed cases of secure run

[Michael Kerrisk (man-pages)]

Hello Maria,

> @@ -313,7 +335,12 @@ prints a help message about which categories can be 
> specified in this
>   environment variable.
>   Since glibc 2.3.4,
>   .B LD_DEBUG
> -is ignored for set-user-ID/set-group-ID binaries.
> +is ignored in secure-execution mode.
> +However, if the file
> +.IR /etc/suid\-debug
> +exists (the content of the file is irrelevant), then
> +.BR LD_DEBUG
> +has an effect in secure-execution mode.

Thanks also for this piece. I added it, but trimmed a little.

Cheers,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html