2011-05-05 Petr Baudis * elf/dl-load.c (fillin_rpath): Move trusted path check... (is_trusted_path): ...to here. (is_norm_trusted_path): Add wrapper for /../-normalization. (is_dst): Do not check for extra path after $ORIGIN. (_dl_dst_count): Update comment. (_dl_dst_substitute): Verify expanded $ORIGIN path elements using is_norm_trusted_path() in setuid scripts. diff --git a/elf/dl-load.c b/elf/dl-load.c index 00ea465..59b2022 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -168,6 +168,58 @@ local_strdup (const char *s) } +static bool +is_trusted_path (const char *path, int len) +{ + const char *trun = system_dirs; + size_t idx; + + /* All trusted directories must be complete names. */ + if (path[0] != '/') + return false; + + for (idx = 0; idx < nsystem_dirs_len; ++idx) + { + if (len == system_dirs_len[idx] + && memcmp (trun, path, len) == 0) + { + /* Found it. */ + return true; + } + + trun += system_dirs_len[idx] + 1; + } + return false; +} + +static bool +is_norm_trusted_path (const char *path, int len) +{ + char *npath = (char *) alloca (len + 1); + char *wnp = npath; + + while (*path != '\0') + { + if (path[0] == '/') + { + while (path[1] == '.' && path[2] == '.' + && (path[3] == '/' || path[3] == '\0')) + { + while (wnp > npath && *--wnp != '/') ; + while (wnp > npath && wnp[-1] == '/') wnp--; + path += 3; + } + } + *wnp++ = *path++; + } + if (wnp > npath && wnp[-1] != '/') + *wnp++ = '/'; + *wnp = '\0'; + + return is_trusted_path(npath, wnp - npath); +} + + static size_t is_dst (const char *start, const char *name, const char *str, int is_path, int secure) @@ -200,8 +252,7 @@ is_dst (const char *start, const char *name, const char *str, return 0; if (__builtin_expect (secure, 0) - && ((name[len] != '\0' && (!is_path || name[len] != ':')) - || (name != start + 1 && (!is_path || name[-2] != ':')))) + && (name != start + 1 && (!is_path || name[-2] != ':'))) return 0; return len; @@ -218,8 +269,8 @@ _dl_dst_count (const char *name, int is_path) { size_t len; - /* $ORIGIN is not expanded for SUID/GUID programs (except if it - is $ORIGIN alone) and it must always appear first in path. */ + /* $ORIGIN is not expanded for SUID/GUID programs if it does not + * appear first in path. */ ++name; if ((len = is_dst (start, name, "ORIGIN", is_path, INTUSE(__libc_enable_secure))) != 0 @@ -241,6 +292,7 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, { const char *const start = name; char *last_elem, *wp; + bool elem_check_trusted = false; /* Now fill the result path. While copying over the string we keep track of the start of the last path element. When we come accross @@ -265,6 +317,8 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, else #endif repl = l->l_origin; + elem_check_trusted = INTUSE(__libc_enable_secure) + && l->l_type == lt_executable; } else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) repl = GLRO(dl_platform); @@ -297,11 +351,28 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, { *wp++ = *name++; if (is_path && *name == ':') - last_elem = wp; + { + /* In SUID/SGID programs, after $ORIGIN expansion the + * normalized path is allowed correspond only to a + * trusted directory */ + if (__builtin_expect (elem_check_trusted, 0) + && !is_norm_trusted_path (last_elem, wp - last_elem)) + { + wp = last_elem; + elem_check_trusted = false; + } + else + { + last_elem = wp; + } + } } } while (*name != '\0'); + if (__builtin_expect (elem_check_trusted, 0) + && !is_norm_trusted_path (last_elem, wp - last_elem)) + wp = last_elem; *wp = '\0'; return result; @@ -411,33 +482,8 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, cp[len++] = '/'; /* Make sure we don't use untrusted directories if we run SUID. */ - if (__builtin_expect (check_trusted, 0)) - { - const char *trun = system_dirs; - size_t idx; - int unsecure = 1; - - /* All trusted directories must be complete names. */ - if (cp[0] == '/') - { - for (idx = 0; idx < nsystem_dirs_len; ++idx) - { - if (len == system_dirs_len[idx] - && memcmp (trun, cp, len) == 0) - { - /* Found it. */ - unsecure = 0; - break; - } - - trun += system_dirs_len[idx] + 1; - } - } - - if (unsecure) - /* Simply drop this directory. */ - continue; - } + if (__builtin_expect (check_trusted, 0) && !is_trusted_path (cp, len)) + continue; /* See if this directory is already known. */ for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)