Add paranoia checks into the blkid, ext2fs, and ss libraries to ignore

environment variables if the libraries are called from setuid or setguid 
programs, or if kernel believes that the process is not eligible to create
a core dump.  In addition, if the libc has __secure_getenv(), use it so that
the libc can also do any additional limitations regarding when libraries can
trust environment variables (i.e., to integrate with systems like SELinux 
and Posix capabilities).

1 files changed, 38 insertions, 2 deletions

diff --git a/lib/blkid/cache.c b/lib/blkid/cache.c
index 12cae0c1..5813bbc5 100644
--- a/lib/blkid/cache.c
+++ b/lib/blkid/cache.c
@@ -10,12 +10,48 @@
  * %End-Header%
  */
 
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
 #include <stdlib.h>
 #include <string.h>
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#else
+#define PR_GET_DUMPABLE 3
+#endif
+#if (!defined(HAVE_PRCTL) && defined(linux))
+#include <sys/syscall.h>
+#endif
 #include "blkidP.h"
 
 int blkid_debug_mask = 0;
 
+
+static char *safe_getenv(const char *arg)
+{
+	if ((getuid() != geteuid()) || (getgid() != getgid()))
+		return NULL;
+#if HAVE_PRCTL
+	if (prctl(PR_GET_DUMPABLE) == 0)
+		return NULL;
+#else
+#if (defined(linux) && defined(SYS_prctl))
+	if (syscall(SYS_prctl, PR_GET_DUMPABLE) == 0)
+		return NULL;
+#endif
+#endif
+
+#ifdef HAVE___SECURE_GETENV
+	return __secure_getenv("BLKID_FILE");
+#else
+	return getenv("BLKID_FILE");
+#endif
+}
+
 int blkid_get_cache(blkid_cache *ret_cache, const char *filename)
 {
 	blkid_cache cache;
@@ -41,8 +77,8 @@ int blkid_get_cache(blkid_cache *ret_cache, const char *filename)
 
 	if (filename && !strlen(filename))
 		filename = 0;
-	if (!filename && (getuid() == geteuid()))
-		filename = getenv("BLKID_FILE");
+	if (!filename) 
+		filename = safe_getenv("BLKID_FILE");
 	if (!filename)
 		filename = BLKID_CACHE_FILE;
 	cache->bic_filename = blkid_strdup(filename);