better document perils of setuid getenv and xr with issetugid

ok deraadt

2 files changed, 14 insertions, 5 deletions

diff --git a/lib/libc/stdlib/getenv.3 b/lib/libc/stdlib/getenv.3
index 23335595161..ce2ef43b6f3 100644
--- a/lib/libc/stdlib/getenv.3
+++ b/lib/libc/stdlib/getenv.3
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$OpenBSD: getenv.3,v 1.20 2014/04/21 08:46:59 guenther Exp $
+.\"	$OpenBSD: getenv.3,v 1.21 2014/07/11 09:24:03 tedu Exp $
 .\"
-.Dd $Mdocdate: April 21 2014 $
+.Dd $Mdocdate: July 11 2014 $
 .Dt GETENV 3
 .Os
 .Sh NAME
@@ -145,6 +145,7 @@ function failed because it was unable to allocate memory for the environment.
 .Xr csh 1 ,
 .Xr sh 1 ,
 .Xr execve 2 ,
+.Xr issetugid 2 ,
 .Xr environ 7
 .Sh STANDARDS
 The
@@ -175,3 +176,10 @@ The
 .Fn putenv
 function appeared in
 .Bx 4.3 Reno .
+.Sh CAVEATS
+Library code must be careful about using
+.Fn getenv
+to read untrusted environment variables in setuid programs.
+The
+.Fn issetugid
+function is provided for this purpose.
diff --git a/lib/libc/sys/issetugid.2 b/lib/libc/sys/issetugid.2
index aa495041113..f969d0d1bc9 100644
--- a/lib/libc/sys/issetugid.2
+++ b/lib/libc/sys/issetugid.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: issetugid.2,v 1.19 2007/05/31 19:19:32 jmc Exp $
+.\"	$OpenBSD: issetugid.2,v 1.20 2014/07/11 09:24:03 tedu Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: July 11 2014 $
 .Dt ISSETUGID 2
 .Os
 .Sh NAME
@@ -97,7 +97,8 @@ indicate an error.
 .Xr setegid 2 ,
 .Xr seteuid 2 ,
 .Xr setgid 2 ,
-.Xr setuid 2
+.Xr setuid 2 ,
+.Xr getenv 3
 .Sh HISTORY
 The
 .Fn issetugid