Bug 78291

Summary: exec of setuid root program loses some environment variables
Product: [Retired] Red Hat Linux Reporter: Need Real Name <jhenson>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: fweimer
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-11-20 20:25:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
description and test case to demonstrate bug none

Description Need Real Name 2002-11-20 20:24:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

Description of problem:
Certain environment variables
are removed from the environment of an exec'ed program, when that 
program is owned by root with the setuid bit set.

One such variable is LD_LIBRARY_PATH.  But this
is OK:  it is known that setuid programs delete LD_LIBRARY_PATH
from the environment list.  
(See /usr/src/redhat/SOURCES/glibc-2.2.5/sysdeps/generic/unsecvars.h)

The bug is that the environment variables G, H, L, M, N, R, and T
are also deleted from the environment.  Suspiciously, these happen
to be exactly the set of initial letters of the variables listed in 
unsecvars.h...

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
See attachment for detailed information.


Additional info:
Comment 1 Need Real Name 2002-11-20 20:25:32 UTC 
Created attachment 85753 [details]
description and test case to demonstrate bug
Comment 2 Jakub Jelinek 2002-11-20 20:55:37 UTC 
This is fixed by glibc 7.3 errata.