ld.so not ignoring LD_PRELOAD on seduid binaries?
ld.so doesn't ignore LD_PRELOAD (but apparently fails to load any
libraries in LD_PRELOAD) if loading a seduit binary.
Apparently, when ld.so loads a setuid bin, and if $LD_PRELOAD
has a `/', then ld.so silently ignores $LD_PRELOAD.
This is good, as any fool can install a .so lib that would
make /bin/su skip the passwd checking pass, and just hand root.
However, if $LD_PRELOAD doesn't have a `/' in it, ld.so
_does_ attempt to load the library -- and it fails:
$ LD_PRELOAD=libc.so.6 /bin/su
/bin/su: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
It _is_ of cource good that ld.so fails to load the library:
for writers of setuid binaries it's hard enough to check their binary
cannot be exploited when linked against the specified libraries; if
you'd also have to check for a game-library that wraps `stat()' to
a function that reports the statistics, that would complicate matters...
Now, I'm wondering if anyone knows why ld.so silently ignores
$LD_PRELOAD if it does contain a `/', while it fails to load the
program when $LD_PRELOAD doesn't contain a `/'.
Thanks,
joostje
Reply to: