Description of problem: A security flaw in the way glibc's ld.so processed LD_AUDIT contained $ORIGIN (see bug #43306) led to disabling $ORIGIN expansion in privileged programs completely in EL5 and later (bug #643306, comment #26). As EL4 glibc does not support linker auditing API, hence it did not require immediate security fix as was issued for EL5. In EL4, $ORIGIN expansion may happen if privileged program is built with RPATH containing $ORIGIN. No setuid/setgid binary in EL4 does that. Disabled expansion can provide a safety check for such unsafe setuid/setgid binaries. Version-Release number of selected component (if applicable): glibc-2.3.4-2.43.el4_8.6 Steps to Reproduce: See reproducer in bug #643306, comment #23.
(In reply to comment #0) > See reproducer in bug #643306, comment #23. Updated test case in bug #643306, comment #39.
"Don't ignore $ORIGIN in libraries" fix does not help either, see test case in bug #667974.
-> ASSIGNED The aim of this bug is to provide extra safety for privileged programs that happen to have $ORIGIN in RPATH. If we consider such binaries to be inherently broken (as bug #667974, comment #8 suggests), we should revert the patch that was applied and close this wontfix. The patch does not make it harder to abuse such privileged programs, but rather remove certain constraints. Do you agree that such change is undesired?
Patch reverted: http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/rpms/glibc/RHEL-4/glibc.spec.diff?r1=1.183;r2=1.184;f=h Thank you!