The OS prevents access to certain environment variables when running setuid or setgid executables.
This is a security feature to prevent setuid or setgid programs from having their environment altered to allow for malicious reading/writing of file data.
There are several environment variables ignored for setuid or setgid programs, including:
- GCONV_PATH
- HOSTALIASES
- LD_DEBUG_OUTPUT
- LD_LIBRARY_PATH
- LD_ORIGIN_PATH
- LD_PRELOAD
- LD_PROFILE
- LD_USE_LOAD_BIAS
- LOCALDOMAIN
- LOCPATH
- MALLOC_TRACE
- NLSPATH
- RESOLV_HOST_CONF
- RES_OPTIONS
- TMPDIR
- TZDIR
The _progres executable has its setuid bit set to 1 with root as the owner.
This means that the _progres executable is run in secure-execution mode where the above-mentioned environment variables are ignored, if the process owner ID or group ID doesn't match that of the non-root user ID.
From the ld.so(8) documentation:
What is secure-execution mode
Secure-execution mode
For security reasons, the effects of some environment variables are
voided or modified if the dynamic linker determines that the binary
should be run in secure-execution mode. (For details, see the
discussion of individual environment variables below.) A binary is
executed in secure-execution mode if the AT_SECURE entry in the
auxiliary vector (see getauxval(3)) has a nonzero value. This entry
may have a nonzero value for various reasons, including:
* The process's real and effective user IDs differ, or the real and
effective group IDs differ. This typically occurs as a result of
executing a set-user-ID or set-group-ID program.
* A process with a non-root user ID executed a binary that conferred
capabilities to the process.
* A nonzero value may have been set by a Linux Security Module.
