This would be a VERY BAD IDEA. It would allow the caller to execute any
code they want as the target user. For instance, with LD_LIBRARY_PATH
they could provide a version of exit() that performs the equivalent of
"rm *" in the target user's directory. And if it's a setuid-root
program, they could take down the entire system.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Yes, but you have to actually write the code to do it. It can't be
done automatically because those environment variables would have to
be carefully sanitized to ensure they don't pose a threat to the
setuid program.
What you do is you write a program that you leave non-setuid that
assembles all the environment variables the setuid program needs and
puts them someplace it can get them. For example, you could put them
in a temporary file and pass the path of that file to the setuid
program. (The program can just write the whole environment to a file
with no processing, if desired.) The setuid program then runs, reads
in the temporary file, and selectively sets those environment
variables it chooses to honor.
It must check each setting carefully to ensure it doesn't pose a
security threat. Obviously, being able to replace libraries that a
setuid program runs is equivalent to being that user, since your
library could, for example, set an arbitrary program setuid if
maliciously constructed to do so.
If needed, the setuid program can then launch the actual desired
program, which would then not need to be setuid. In that case, the
environment settings passed to it by the setuid program would be
honored.
Note that is extremely advanced UNIX programming and should not be
attempted by those who don't deeply understand the consequences of
what they're doing. The three program approach is, IMO, best. Again
they are:
1) User helper program, not setuid. This program puts the environment
or other user settings where program 2 can find it.
2) The launcher program itself. This program is setuid and reads the
environment or whatever settings that program 1 placed for it, it sets
up the environment and security context for program 3. Note that this
program must carefully screen everything it passes to the third
program.
3) The program that does the actual work, which now does need to be
setuid since program 2 set up its context and permissions.
DS
Or you can specify the location of libraries at compile/link time.