Re: Some ideas and concerns regarding fakeroot
Christoph Lameter wrote:
> The fakeroot package simulates virtual permissions and might be able to
> simulate virtual files such as an /etc/passwd file. It would be a big
> security hole if someone could develope a library that can be preloaded
> with LD_PRELOAD which results in the ability to tamper with the contents
> of /etc/passwd by redirecting it somewhere else. Fakeroot seems to show to
> me that this is possible. The LD_PRELOAD function should be somehow
> safeguarded. I do not want any of the users on my system to have that
> ability.
>
> Simple hack with such a preloaded library: Substitute a known password for
> root in /etc/passwd and run su. Type the password and you are superuser.
Why do you think this could possibly be done? Suid programs ignore
LD_PRELOAD, won't that prevent this?
--
see shy jo
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: