[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ld.so and LD_PRELOAD

On Sat, 7 Jun 2003 04:02, Ben Collins wrote:
> > Now I don't want to maintain a SE Linux version of libc6 for a special
> > /lib/ld-linux.so.2 if I can avoid it.  Also I think it would be ideal if
> > the functionality in this regard could support multiple security systems.
> >  Would it be practical for /lib/ld-linux.so.2 to load a shared object to
> > determine whether LD_PRELOAD is allowed?
> I don't know too much about SE Linux, but what keeps someone who has
> root from dropping their own ld-linux.so.2 in there?

The same thing that stops them from replacing /etc/shadow and other important 
files.  Merely having root does not grant you much access on a SE Linux 
system, see http://www.coker.com.au/selinux/play.html .

> I assume that SE Linux has some higherlevel traps than just root and
> not-root. What keeps them from doing:
> ./myld.so /bin/program-to-exploit

It's the same as doing "./myld.so /bin/passwd".  Sure you can run that 
command, it will run the program, but the program will get the same access as 
determined by ./myld.so not that which would be granted by running 
/bin/passwd (so therefore you can't modify /etc/shadow or do any other fun 

> though? Is /lib/ld-linux.so.2 given some filesystem based attributes
> that gives it higher capabilities than some copied ld.so?

It's exactly the same as the default Linux situation regarding SUID files.  
Run "./ld.so /bin/passwd" as non-root and the passwd program will attempt to 
do it's thing, but it won't have any access to /etc/shadow and won't be able 
to do anything.  The same thing applies in SE Linux if you use the "./ld.so" 
method to run a program that triggers a domain transition (the SE equivalent 
of being SUID), as far as the kernel is concerned you are running the program 
./ld.so and the program /bin/passwd (or whatever you are running) is just a 
shared object that the program reads.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: