[cs631apue] getprogname restriction

Jan Schaumann jschauma at stevens.edu
Mon Oct 1 10:11:31 EDT 2018


Aubhik Mazumdar <amazumda at stevens.edu> wrote:
 
> The string returned by getprogname() is supplied by the invoking process and should not be trusted by setuid or setgid programs.
> 
> I don't understand how it could be exploited in a program using setuid or setgid. Does anyone have an idea?

setprogname(3) often sets the program name from the name of the
executable, e.g.

setprogname(argv[0);

That is, it may be user-controlled.  If there is a setuid binary, any
user can create a symlink pointing to the binary with any name, thereby
controlling the value of what getprogname(3) will return.

If the program then uses the value of getprogname(3) in an unsafe
fashion, it can lead to a security problem.  For example, suppose the
setuid program needs to re-exec itself, and tries to do so by invoking
the command determined via getprogname(3), it may instead execute a
different program:

For a contrived example, assume a program 'setuid-cat' that can read any
file.  If that were to re-exec getprogname(3), I can make it remove all
those files by e.g.:

$ ln -s /sbin/setuid-cat rm
$ ./rm some-file

Now 'setuid-cat' sets the progname to 'rm', and if it re-execs, it will
invoke /bin/rm instead, leading to the file being removed.


Other attack vectors might be in creating a filename that contains
non-ascii characters that the program might interpret in some unexpected
way.

As always, anything that the user has control over must not be trusted
at execution time.

-Jan


More information about the cs631apue mailing list