Re: ld.so and LD_PRELOAD

To: Ben Collins <bcollins@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: ld.so and LD_PRELOAD
From: Russell Coker <russell@coker.com.au>
Date: Sat, 7 Jun 2003 08:24:56 +1000
Message-id: <[🔎] 200306070824.56013.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20030606180207.GL18933@phunnypharm.org>
References: <[🔎] 200306070422.30167.russell@coker.com.au> <[🔎] 20030606180207.GL18933@phunnypharm.org>

On Sat, 7 Jun 2003 04:02, Ben Collins wrote:
> > Now I don't want to maintain a SE Linux version of libc6 for a special
> > /lib/ld-linux.so.2 if I can avoid it.  Also I think it would be ideal if
> > the functionality in this regard could support multiple security systems.
> >  Would it be practical for /lib/ld-linux.so.2 to load a shared object to
> > determine whether LD_PRELOAD is allowed?
>
> I don't know too much about SE Linux, but what keeps someone who has
> root from dropping their own ld-linux.so.2 in there?

The same thing that stops them from replacing /etc/shadow and other important 
files.  Merely having root does not grant you much access on a SE Linux 
system, see http://www.coker.com.au/selinux/play.html .

> I assume that SE Linux has some higherlevel traps than just root and
> not-root. What keeps them from doing:
>
> ./myld.so /bin/program-to-exploit

It's the same as doing "./myld.so /bin/passwd".  Sure you can run that 
command, it will run the program, but the program will get the same access as 
determined by ./myld.so not that which would be granted by running 
/bin/passwd (so therefore you can't modify /etc/shadow or do any other fun 
things.

> though? Is /lib/ld-linux.so.2 given some filesystem based attributes
> that gives it higher capabilities than some copied ld.so?

It's exactly the same as the default Linux situation regarding SUID files.  
Run "./ld.so /bin/passwd" as non-root and the passwd program will attempt to 
do it's thing, but it won't have any access to /etc/shadow and won't be able 
to do anything.  The same thing applies in SE Linux if you use the "./ld.so" 
method to run a program that triggers a domain transition (the SE equivalent 
of being SUID), as far as the kernel is concerned you are running the program 
./ld.so and the program /bin/passwd (or whatever you are running) is just a 
shared object that the program reads.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- ld.so and LD_PRELOAD
  - From: Russell Coker <russell@coker.com.au>
- Re: ld.so and LD_PRELOAD
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Re: Debian menu system update
Next by Date: Re: new bug tags
Previous by thread: Re: ld.so and LD_PRELOAD
Next by thread: Re: ld.so and LD_PRELOAD
Index(es):
- Date
- Thread