Bug 129682

Summary: $LD_LIBRARY_PATH omitted from environment of setuid/setgid programs run by non-owner user
Product: [Fedora] Fedora Reporter: Jason Vas Dias <jvdias>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fweimer, mikel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-11 21:30:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118262    

Description Jason Vas Dias 2004-08-11 19:56:51 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510

Description of problem:
 A program with either or both of the setuid / setgid mode bits 
 set cannot obtain $LD_LIBRARY_PATH from environment of invoking
 user if that user is not the program file owner.

 IE. if a user has set the LD_LIBRARY_PATH environment variable,
 and invokes a setuid/setgid program, that program gets the 
 user's environment with LD_LIBRARY_PATH omitted, unless the
 user is the owner of the program file. 
 
 This could be a security "feature" ; if so, it is not documented
 anywhere (man execve, man 5 environ, man setuid...) - it should be!
 
 This happens on FC2, FC3, and RHEL-3.0-U3.

 This breaks programs like at(1) which record the environment of the
 invoking user (bug 118262 was raised by user about this issue). 
  
 I think this is a bug, because it happens for programs with the
 setuid/setgid bit set WHICH HAVE NOT CALLED setuid() or setgid() -
 ie. they are still running with real uid/gid of the user which
 invokes them and effective uid/gid of file owner.

 

 


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
$ ls -l /bin/env
-rwxr-xr-x  1 root root 15200 May  4 12:26 /bin/env
$ export LD_LIBRARY_PATH=/lib:/usr/lib:/usr/X11R6/lib
$ /bin/env | grep LD_LIBRARY_PATH
LD_LIBRARY_PATH=/lib:/usr/lib:/usr/X11R6/lib
(now as root do chmod +s /bin/env)
$ ls -l /bin/env
-rwsr-sr-x  1 root root 15200 May  4 12:26 /bin/env
$ /bin/env | grep LD_LIBRARY_PATH
( LD_LIBRARY_PATH not in environment! )
2.
3.
    

Actual Results:  LD_LIBRARY_PATH is omitted from environment if
effective uid/gid != real uid/gid

Expected Results:  LD_LIBRARY_PATH should be in environment of
executed program if it was
in environment of executing program

Additional info:
Comment 1 Jakub Jelinek 2004-08-11 21:30:23 UTC 
This is of course a security measure, there are many env variables
removed from the environment and disregarded for setuid or setgid
apps, including LD_PRELOAD, LD_LIBRARY_PATH, LD_ORIGIN_PATH, LD_DEBUG_OUTPUT, LD_PROFILE, LD_USE_LOAD_BIAS, GCONV_PATH, HOSTALIASES, LOCALDOMAIN, LOCPATH, MALLOC_TRACE, NLSPATH, RESOLV_HOST_CONF, RES_OPTIONS, TMPDIR and TZDIR.
All Unices I know of behave this way.

If you don't see this documented, it is a man-pages bug, not glibc
bug.
Comment 2 Mikel Ward 2011-04-14 02:39:10 UTC 
For what it's worth, it's documented in ld.so(8).