LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)
On Wed, Jan 28, 1998 at 11:52:45PM +0000, Mark Baker wrote:
> On Wed, Jan 28, 1998 at 11:46:46PM -0000, bruce@va.debian.org wrote:
> > Fakeroot is not the only library in a privileged directory that should
> > not be run with a setuid executable by an unprivileged user.
> > Although I don't know of an exploit, my Electric Fence library has not
> > been audited for that kind of security. If there is a shared library for
> > Checker, it probably has the same status.
>
> Do you think debian should, whatever the upstream author does, fix ld.so so
> this isn't possible (it would actually make the code simpler)? I can't think
> of any good reason not to, even if the security risk is negligible.
Yes, both ld-linux.so.2 and ld-linux.so.1 should be fixed;
nobody should be able to run a setuid program in a LD_PRELOAD
environment. At least, I can't find any reason to allow it, and many
people could use it to try to find exploits.
The fix is very easy, both in libc6 and ld.so:
=================== patch for glibc_2.0.6-2 ==========================
--- elf/rtld.c. Sun Feb 8 22:55:45 1998
+++ elf/rtld.c Sun Feb 8 22:57:02 1998
@@ -356,7 +356,7 @@
char *list = strdupa (preloadlist);
char *p;
while ((p = strsep (&list, " ")) != NULL)
- if (! __libc_enable_secure || strchr (p, '/') == NULL)
+ if (! __libc_enable_secure)
{
struct link_map *new_map = _dl_map_object (NULL, p, lt_library, 0);
if (new_map->l_opencount == 1)
======================================================================
=================== patch for ld.so-1.9.6 ============================
--- d-link/boot1.c. Mon Jul 21 21:45:35 1997
+++ d-link/boot1.c Sun Feb 8 22:59:26 1998
@@ -561,7 +561,7 @@
str2++;
c = *str2;
*str2 = '\0';
- if (!_dl_secure || _dl_strchr(str, '/') == NULL) {
+ if (!_dl_secure) {
tpnt1 = _dl_load_shared_library(NULL, str);
if (!tpnt1) {
if (_dl_trace_loaded_objects)
======================================================================
Should I submit a bug report against these packages?
--
Juan Cespedes
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-sparc-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: