Skip to content

Added #defined to force disable secure_getenv#39343

Closed
pawbhard wants to merge 19 commits intogrpc:masterfrom
pawbhard:getenv_wa
Closed

Added #defined to force disable secure_getenv#39343
pawbhard wants to merge 19 commits intogrpc:masterfrom
pawbhard:getenv_wa

Conversation

@pawbhard
Copy link
Copy Markdown
Contributor

@pawbhard pawbhard commented Apr 23, 2025

Problem: secure_getenv return NULL if linux capabilities are added to the executable.

As a solution, adding the "GRPC_FORCE_INSECURE_GETENV"

We want to discourage its use due to security vulnerabilities mentioned in the secure_getenv man page

@pawbhard pawbhard requested review from ctiller and markdroth April 23, 2025 06:44
@pawbhard pawbhard self-assigned this Apr 23, 2025
@pawbhard pawbhard added the release notes: no Indicates if PR should not be in release notes label Apr 23, 2025
@ctiller
Copy link
Copy Markdown
Member

ctiller commented Apr 23, 2025

Should we have something in the build system to enable this? @veblush

@veblush
Copy link
Copy Markdown
Contributor

veblush commented May 6, 2025

I wish there is a way to handle without a new configuration. If we have to add this one, I'm fine with not having a proper build configuration as they easily pass additional C++ defines (and this only affect cc files so passing it when building gRPC should be enough)

@ctiller
Copy link
Copy Markdown
Member

ctiller commented May 7, 2025

What is the testing story for this?

@pawbhard
Copy link
Copy Markdown
Contributor Author

pawbhard commented May 9, 2025
edited
Loading

handle without a new configuration. If we have to add this one, I'm fine with not having a proper build configuration as they easily pass additional C++ defines (and this only affect cc files so passing it when building gRPC should be enough)

Added build config, cc: @ctiller , @veblush

@pawbhard
Copy link
Copy Markdown
Contributor Author

pawbhard commented May 16, 2025

What is the testing story for this?

Added test

yashykt
yashykt reviewed May 20, 2025
View reviewed changes
yashykt
yashykt reviewed May 20, 2025
View reviewed changes
pawbhard added a commit to pawbhard/grpc that referenced this pull request May 30, 2025
@pawbhard
Added #defined to force disable secure_getenv (grpc#39343)
5009b47 
Problem: [secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41) return NULL  if linux [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) are added to the executable.

As a solution, adding the "GRPC_FORCE_INSECURE_GETENV"

We want to discourage its use due to security vulnerabilities mentioned in the [secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41) man page

Closes grpc#39343

COPYBARA_INTEGRATE_REVIEW=grpc#39343 from pawbhard:getenv_wa 999f13a
PiperOrigin-RevId: 760926719
pawbhard added a commit to pawbhard/grpc that referenced this pull request May 30, 2025
@pawbhard
Added #defined to force disable secure_getenv (grpc#39343)
21e723b 
Problem: [secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41) return NULL  if linux [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) are added to the executable.

As a solution, adding the "GRPC_FORCE_INSECURE_GETENV"

We want to discourage its use due to security vulnerabilities mentioned in the [secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41) man page

Closes grpc#39343

COPYBARA_INTEGRATE_REVIEW=grpc#39343 from pawbhard:getenv_wa 999f13a
PiperOrigin-RevId: 760926719
This was referenced May 30, 2025
Merged
Merged
sreenithi pushed a commit that referenced this pull request May 30, 2025
@pawbhard
[Backport][v1.72]Added #defined to force disable secure_getenv (#39343)…
54bd142 
… (#39715)

Backport #39343 to v1.72.x
---
Problem:
[secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41)
return NULL if linux
[capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html)
are added to the executable.

As a solution, adding the "GRPC_FORCE_INSECURE_GETENV"

We want to discourage its use due to security vulnerabilities mentioned
in the
[secure_getenv](https://github.com/grpc/grpc/blob/2dd25392e8951c000eee2f35c9fe66862f9c8883/src/core/util/linux/env.cc#L41)
man page

Closes #39343

COPYBARA_INTEGRATE_REVIEW=#39343 from
pawbhard:getenv_wa 999f13a
PiperOrigin-RevId: 760926719
pawbhard added a commit that referenced this pull request May 30, 2025
@pawbhard
[Backport][v1.71]Added #defined to force disable secure_getenv (#39343)…
738a2b0 
… (#39716)

Backport #39343 to 1.71.
@pawbhard pawbhard deleted the getenv_wa branch June 4, 2025 04:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yashykt yashykt yashykt approved these changes

@ctiller ctiller Awaiting requested review from ctiller

@markdroth markdroth Awaiting requested review from markdroth

Assignees

@pawbhard pawbhard

Labels

bloat/none lang/core per-call-memory/neutral per-channel-memory/neutral priority/P0/RELEASE BLOCKER release notes: no Indicates if PR should not be in release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pawbhard @ctiller @veblush @yashykt