|
|
Subscribe / Log in / New account

Format string vulnerability in sudo

Format string vulnerability in sudo

Posted Feb 3, 2012 6:36 UTC (Fri) by cmccabe (guest, #60281)
In reply to: Format string vulnerability in sudo by josh
Parent article: Format string vulnerability in sudo

I don't see the point of arbitrarily limiting the ability of sysadmins to rename programs. Why hardcode the name when you don't have to? Do you enjoy adding arbitrary limitations just because you can?

Even if we ignore the rename issue, there are plenty of reasons why a program might want to know its own name.

One of them is if you are writing an argument parsing library intended to be used by many different programs. You won't know the program name ahead of time, and you want to print it out in the usage message.

Another is if you want the same program to have different behaviors based on the name it was invoked with. Busybox has used this trick for more than a decade to avoid the space overhead of having a different binary for each command.

If you're searching for configuration files, one place you might want to look is in dirname(argv[0]).

Just because you don't have the imagination to think of good uses for argv[0], doesn't mean that they don't exist.

to post comments

Format string vulnerability in sudo

Posted Feb 3, 2012 6:44 UTC (Fri) by cmccabe (guest, #60281) [Link]

Sorry for the perhaps overly adversarial tone of the above comment. I'm just annoyed that people could genuinely think argv[0] was a bad thing. Meh.

Format string vulnerability in sudo

Posted Feb 3, 2012 8:54 UTC (Fri) by josh (subscriber, #17465) [Link] (1 responses)

I don't consider hardcoding the name an arbitrary limitation; the program *does* know its own name, it just doesn't change that name based on its filename. :)

Libraries ought to accept the program name as a parameter; the program could choose to pass them argv[0] if it wants to, but might want to pass something else (a subcommand name for instance), or just pass the compile-time name of the program.

You *definitely* don't want to look in dirname(argv[0]) for configuration files, for several reasons: argv[0] need not contain a path at all, it might contain a user-controlled path that you don't trust, and on most systems the path containing the binary will never contain configuration files. Most programs get their configuration path at compile-time; programs using autotools get it from the ./configure command line.

As for making behavior conditional on the program name, that makes sense for something like busybox that needs to save space at all costs, but most programs don't do that anymore due to various logistical complications, preferring instead to have the same behavior no matter how they get invoked. For example, these days gunzip refers to a shell script rather than a hardlink to gzip.

I don't necessarily consider argv[0] a universally bad thing to rely on, but I don't think it should get used and relied on as often as it does.

Format string vulnerability in sudo

Posted Feb 3, 2012 19:07 UTC (Fri) by cmccabe (guest, #60281) [Link]

> You *definitely* don't want to look in dirname(argv[0])
> for configuration files, for several reasons: argv[0]
> need not contain a path at all, it might contain a
> user-controlled path that you don't trust, and on most
> systems the path containing the binary will never contain
> configuration files.

Well, I would definitely never suggest doing this for setuid binaries, like sudo. I did it once for with scripts that I wrote and it worked out fine.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds