Red Hat Bugzilla – Bug 78291
exec of setuid root program loses some environment variables
Last modified: 2016-11-24 09:55:37 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Description of problem:
Certain environment variables
are removed from the environment of an exec'ed program, when that
program is owned by root with the setuid bit set.
One such variable is LD_LIBRARY_PATH. But this
is OK: it is known that setuid programs delete LD_LIBRARY_PATH
from the environment list.
The bug is that the environment variables G, H, L, M, N, R, and T
are also deleted from the environment. Suspiciously, these happen
to be exactly the set of initial letters of the variables listed in
Version-Release number of selected component (if applicable):
Steps to Reproduce:
See attachment for detailed information.
Created attachment 85753 [details]
description and test case to demonstrate bug
This is fixed by glibc 7.3 errata.