Re: Some ideas and concerns regarding fakeroot

To: Christoph Lameter <clameter@waterf.org>
Cc: debian-devel@lists.debian.org, fakeroot@packages.debian.org
Subject: Re: Some ideas and concerns regarding fakeroot
From: Joey Hess <joey@kite.ml.org>
Date: Sat, 6 Sep 1997 20:07:59 -0400
Message-id: <[🔎] 19970906200759.18019@kite>
In-reply-to: <[🔎] Pine.LNX.3.96.970906163601.1300A-100000@waterf.org>; from Christoph Lameter on Sat, Sep 06, 1997 at 04:44:24PM -0700
References: <[🔎] Pine.LNX.3.96.970906163601.1300A-100000@waterf.org>

Christoph Lameter wrote:
> The fakeroot package simulates virtual permissions and might be able to
> simulate virtual files such as an /etc/passwd file. It would be a big
> security hole if someone could develope a library that can be preloaded
> with LD_PRELOAD which results in the ability to tamper with the contents
> of /etc/passwd by redirecting it somewhere else. Fakeroot seems to show to
> me that this is possible. The LD_PRELOAD function should be somehow
> safeguarded. I do not want any of the users on my system to have that
> ability.
> 
> Simple hack with such a preloaded library: Substitute a known password for
> root in /etc/passwd and run su. Type the password and you are superuser.

Why do you think this could possibly be done? Suid programs ignore
LD_PRELOAD, won't that prevent this?

-- 
see shy jo


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: Some ideas and concerns regarding fakeroot
  - From: Christoph Lameter <clameter@waterf.org>

References:
- Some ideas and concerns regarding fakeroot
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Experimental base-passwd redesign
Next by Date: Re: Some ideas and concerns regarding fakeroot
Previous by thread: Some ideas and concerns regarding fakeroot
Next by thread: Re: Some ideas and concerns regarding fakeroot
Index(es):
- Date
- Thread