Bugtraq mailing list archives
Re: Does the shared lib bug work on any suid program ?
From: Gilles.Soulet () cst cnes fr (Gilles Soulet)
Date: Mon, 6 Nov 1995 10:45:57 +0100
At 17:18 03/11/1995 -0500, Fred Blonder wrote:
From: Bernd Lehle <Bernd.Lehle () RUS Uni-Stuttgart DE> after all the fuzz about the telnet/shared lib stuff somebody here came up with something that might be even more interesting: What woul hapen in the following case: . This game could be played with any suid program, where You know what routines it calls. Or am I missing something ? You're missing something. The dynamic linker won't pay attention to the LD_-whatever environment variables if a program is set-uid: (real and effective UIDs different). This is a problem with /bin/login only because it runs as "root" withOUT being set-uid; real and effective UIDs are the same.
Testing if (EUID != UID) before using env variables for dynamic linking is obviously a good point. But what about testing if EUID or UID equal to zero as well ? Indeed, there are few situations where you want root to run a program with custom library path : root has to be sure about the code it executes. Root trusting "foreign" libraries isn't certainly a good thing, even if on some systems, standard dynamic libraries belongs to "bin" in vendor's configuration ;-) At least, this will prevent us of taking care about trojaned library path is root env... Gillus
Current thread:
- Re: Does the shared lib bug work on any suid program ? der Mouse (Nov 03)
- <Possible follow-ups>
- Re: Does the shared lib bug work on any suid program ? Gilles Soulet (Nov 06)
- Re: Does the shared lib bug work on any suid program ? Casper Dik (Nov 08)
- Re: Does the shared lib bug work on any suid program ? Darren Reed (Nov 09)
- Re: Does the shared lib bug work on any suid program ? Mark D Riggins (Nov 10)
- Re: Does the shared lib bug work on any suid program ? Casper Dik (Nov 08)