[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some ideas and concerns regarding fakeroot

Christoph Lameter wrote:
> The fakeroot package simulates virtual permissions and might be able to
> simulate virtual files such as an /etc/passwd file. It would be a big
> security hole if someone could develope a library that can be preloaded
> with LD_PRELOAD which results in the ability to tamper with the contents
> of /etc/passwd by redirecting it somewhere else. Fakeroot seems to show to
> me that this is possible. The LD_PRELOAD function should be somehow
> safeguarded. I do not want any of the users on my system to have that
> ability.
> Simple hack with such a preloaded library: Substitute a known password for
> root in /etc/passwd and run su. Type the password and you are superuser.

Why do you think this could possibly be done? Suid programs ignore
LD_PRELOAD, won't that prevent this?

see shy jo

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: