diff options
author | Brent Cook <busterb@gmail.com> | 2014-07-15 16:30:07 +0000 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-07-19 21:39:18 -0400 |
commit | ddddec106fd17c3aca3287005d21e92f742aa9d4 (patch) | |
tree | b980289dde0d827262451c93780690db16b4272e /COPYRIGHT | |
parent | cec33b2c6079195c687331beda5409f449125b06 (diff) | |
download | musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.gz musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.bz2 musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.tar.xz musl-ddddec106fd17c3aca3287005d21e92f742aa9d4.zip |
add issetugid function to check for elevated privilege
this function provides a way for third-party library code to use the
same logic that's used internally in libc for suppressing untrusted
input/state (e.g. the environment) when the application is running
with privleges elevated by the setuid or setgid bit or some other
mechanism. its semantics are intended to match the openbsd function by
the same name.
there was some question as to whether this function is necessary:
getauxval(AT_SECURE) was proposed as an alternative. however, this has
several drawbacks. the most obvious is that it asks programmers to be
aware of an implementation detail of ELF-based systems (the aux
vector) rather than simply the semantic predicate to be checked. and
trying to write a safe, reliable version of issetugid in terms of
getauxval is difficult. for example, early versions of the glibc
getauxval did not report ENOENT, which could lead to false negatives
if AT_SECURE was not present in the aux vector (this could probably
only happen when running on non-linux kernels under linux emulation,
since glibc does not support linux versions old enough to lack
AT_SECURE). as for musl, getauxval has always properly reported
errors, but prior to commit 7bece9c2095ee81f14b1088f6b0ba2f37fecb283,
the musl implementation did not emulate AT_SECURE if missing, which
would result in a false positive. since musl actually does partially
support kernels that lack AT_SECURE, this was problematic.
the intent is that library authors will use issetugid if its
availability is detected at build time, and only fall back to the
unreliable alternatives on systems that lack it.
patch by Brent Cook. commit message/rationale by Rich Felker.
Diffstat (limited to 'COPYRIGHT')
0 files changed, 0 insertions, 0 deletions