LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)

To: debian-private@lists.debian.org
Cc: libc6@packages.debian.org, ldso@packages.debian.org
Subject: LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)
From: Juan Cespedes <cespedes@debian.org>
Date: Sun, 8 Feb 1998 23:03:03 +0100
Message-id: <[🔎] 19980208230303.35156@gizmo>
In-reply-to: <19980128235245.26531@aziraphale.pet.cam.ac.uk>; from Mark Baker on Wed, Jan 28, 1998 at 11:52:45PM +0000
References: <19980128234646.7435.qmail@va.debian.org> <19980128235245.26531@aziraphale.pet.cam.ac.uk>

On Wed, Jan 28, 1998 at 11:52:45PM +0000, Mark Baker wrote:
> On Wed, Jan 28, 1998 at 11:46:46PM -0000, bruce@va.debian.org wrote:
> > Fakeroot is not the only library in a privileged directory that should
> > not be run with a setuid executable by an unprivileged user.
> > Although I don't know of an exploit, my Electric Fence library has not
> > been audited for that kind of security. If there is a shared library for
> > Checker, it probably has the same status.
> 
> Do you think debian should, whatever the upstream author does, fix ld.so so
> this isn't possible (it would actually make the code simpler)? I can't think
> of any good reason not to, even if the security risk is negligible.

	Yes, both ld-linux.so.2 and ld-linux.so.1 should be fixed;
nobody should be able to run a setuid program in a LD_PRELOAD
environment.  At least, I can't find any reason to allow it, and many
people could use it to try to find exploits.

	The fix is very easy, both in libc6 and ld.so:

=================== patch for glibc_2.0.6-2 ==========================
--- elf/rtld.c.	Sun Feb  8 22:55:45 1998
+++ elf/rtld.c	Sun Feb  8 22:57:02 1998
@@ -356,7 +356,7 @@
       char *list = strdupa (preloadlist);
       char *p;
       while ((p = strsep (&list, " ")) != NULL)
-	if (! __libc_enable_secure || strchr (p, '/') == NULL)
+	if (! __libc_enable_secure)
 	  {
 	    struct link_map *new_map = _dl_map_object (NULL, p, lt_library, 0);
 	    if (new_map->l_opencount == 1)
======================================================================

=================== patch for ld.so-1.9.6 ============================
--- d-link/boot1.c.	Mon Jul 21 21:45:35 1997
+++ d-link/boot1.c	Sun Feb  8 22:59:26 1998
@@ -561,7 +561,7 @@
 	  str2++;
 	c = *str2;
 	*str2 = '\0';
-	if (!_dl_secure || _dl_strchr(str, '/') == NULL) {
+	if (!_dl_secure) {
 	  tpnt1 = _dl_load_shared_library(NULL, str);
 	  if (!tpnt1) {
 	    if (_dl_trace_loaded_objects)
======================================================================

	Should I submit a bug report against these packages?

-- 
Juan Cespedes


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-sparc-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)
  - From: James Troup <J.J.Troup@scm.brad.ac.uk>

Prev by Date: kernel-headers-* for different archs (was Re: What's Debian's /usr/src policy)
Next by Date: Re: kernel-headers-* for different archs (was Re: What's Debian's /usr/src policy)
Previous by thread: Re: kernel-headers-* for different archs (was Re: What's Debian's /usr/src policy)
Next by thread: Re: LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)
Index(es):
- Date
- Thread