[musl] Re: Tweaking the program name for <err.h> functions

Skyler Ferrante (RIT Student) sjf5462 at rit.edu
Mon Mar 11 14:46:45 UTC 2024 

Hi,

"Consider that a setuid program accidentally opens a privileged file in fd 2."

It seems like this is the main thing shadow-utils (and other projects)
should be concerned about. Every setuid/setgid program should check
for fd 0,1,2 being open at the start of execution, and either abort or
open new fds to /dev/null to prevent file descriptor omission attacks.
Any defenses used to prevent exploitation when a setuid/setgid program
does not do this, seems unlikely to succeed.

All an attacker would need would be an attacker defined string going
to stdout/stderr. Argv[0] is useful for this, but it is not the only
option. Usernames/group names/etc. are chosen by attackers. Preventing
these from being printed might increase security a bit, but they would
make error messages worse. That's just my two cents.

Skyler

On Sun, Mar 10, 2024 at 8:46 PM Alejandro Colomar <alx at kernel.org> wrote:
>
> Hi Thorsten,
>
> On Mon, Mar 11, 2024 at 12:19:27AM +0000, Thorsten Glaser wrote:
> > Rich Felker dixit:
> >
> > >the string literal, because the string literal appears in modular
> > >library code that gets called from multiple utilities, then printing
> > >an error message (and even worse, exiting, if you do that too), rather
> > >than returning meaningful error information up to the caller for it to
> > >handle/display, is just really sloppy, low-quality programming.
> >
> > Libraries totally should not call exit and thus not err/errx,
> > and warn/warnx is… also questionable at best.
> >
> > But modularised code that builds a shared object and a few
> > binaries using it? Why not.
> >
> > The thing I don’t get is why changing __progname is desired,
> > but I guess everyone has use cases for something.
>
> setuid programs.  Consider that a setuid program accidentally opens a
> privileged file in fd 2.  Now what happens if a random user can trigger
> that accident, and write arbitrary text to a privileged file, just by
> calling that setuid program with execlp("su", "inject this stuff", ...)?
>
> Bad stuff.
>
> Have a lovely night!
> Alex
>
> >
> > bye,
> > //mirabilos
> > --
> > (gnutls can also be used, but if you are compiling lynx for your own use,
> > there is no reason to consider using that package)
> >       -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL
>
> --
> <https://www.alejandro-colomar.es/>

More information about the libbsd mailing list