snap-confine

Usage of secure_getenv prevents build against musl libc

Bug #1623725 reported by Loïc Minier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snap-confine
Fix Released
Wishlist
Loïc Minier
snap-confine 1.0.41
snap-confine (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
In Progress
Undecided
Unassigned

Bug Description

[Impact]

snap-confine relies on glibc function secure_getenv() to work. This function is not available on musl so the build cannot complete. With this bug fixed snap-confine now contains an implementation of secure_getenv() that is used when the standard library does not provide a copy of this function.

[Test Case]

snap-confine can be built with musl C library.

[Regression Potential]

This change does not affect the Ubuntu package.

[Other Info]

* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.

* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates

== # Pre-SRU bug description follows # ==

Hi,

Building snap-confine against the musl libc breaks due to the use of secure_getenv() which is a GNU extension.

It would be nice to allow building snap-confine against musl as it's the default libc for OpenWRT and derived trees. This could be achieved by providing a secure_getenv alternate implementation or just falling back to getenv().

See discussion at https://github.com/snapcore/snap-confine/pull/140

Cheers,
- Loïc Minier

See original description
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I strongly recommend providing the secure_getenv() routine on platforms that lack it. It's an important part of keeping setuid executables safe.

Thanks

Zygmunt Krynicki (zyga)
Changed in snap-confine:
milestone: none → 1.0.41
status: New → Fix Committed
assignee: nobody → Loïc Minier (lool)
Loïc Minier (lool)
summary: - Usage of secure_getenv prevents build against glibc
+ Usage of secure_getenv prevents build against musl libc
Revision history for this message
Loïc Minier (lool) wrote :

snap-confine is a suid program and its security is indeed critical; there are two cases where secure_getenv is required:
- libraries that change behavior based on environment variables, because this might allow abusing a suid program linked to that library
- suid programs themselves – in case where the code is shared with non-suid code or the program can be run in both suid and non-suid mode

snap-confine is run non-suid during the testsuite, and the environment variables it reads would allow bypassing the confinement its supposed to provide if read when suid.

Even if the target system disables all AppArmor profile usage, using getenv() instead of secure_getenv() means that a vulnerable suid snap-confine is installed on these systems and could be abused to bypass other security (for instance to escalate an unprivileged process to root).

Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: Fix Committed → Fix Released
importance: Undecided → Wishlist
Zygmunt Krynicki (zyga)
description: updated
Michael Hudson-Doyle (mwhudson)
Changed in snap-confine (Ubuntu):
status: New → Fix Released
Michael Hudson-Doyle (mwhudson)
Changed in snap-confine (Ubuntu Xenial):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.