Bugtraq mailing list archives
Re: Another ld-linux.so problem
From: solar () FALSE COM (Solar Designer)
Date: Sat, 7 Feb 1998 22:39:40 -0300
Hello,
It's much simpler than that: $ LD_PRELOAD=libdoesntexist /bin/su /bin/su: error in loading shared libraries libdoesntexist: cannot open shared object file: No such file or directory
libraries that are installed on the system should be well written, and it should be safe for them to be specified in LD_PRELOAD. I am quite surprised by this attitude, and I think I've thought of 3 situations where this behaviour of the dynamic linkers may _possibly_ create security problems.
Is there a reason for this limited LD_PRELOAD support for setuid binaries, does something depend on it? It looks like this was done intentionally... Anyway, here's a patch for ld-linux.so 1.9.5 that I just did: --- boot1.c.orig Mon Jul 21 16:45:35 1997 +++ boot1.c Sat Feb 7 20:17:44 1998 @@ -525,7 +525,7 @@ else { _dl_secure = 1; - _dl_preload = _dl_getenv("LD_PRELOAD", envp); + _dl_unsetenv("LD_PRELOAD", envp); _dl_unsetenv("LD_AOUT_PRELOAD", envp); _dl_unsetenv("LD_LIBRARY_PATH", envp); _dl_unsetenv("LD_AOUT_LIBRARY_PATH", envp); (This is only to fix the LD_PRELOAD problem, not the load-old-version one.) Signed, Solar Designer
Current thread:
- Re: Windows 95 Serv-U FTP bug, (continued)
- Re: Windows 95 Serv-U FTP bug tl (Feb 05)
- Re: Windows 95 Serv-U FTP bug Alan Thew (Feb 06)
- SMB signing NT chall / response Mudgenski Von Splat (Feb 06)
- L0pht Advisory - NT port binding vulnerability Weld Pond (Feb 06)
- An update on MS private key (in)security issues Aleph One (Feb 06)
- Another ld-linux.so problem Solar Designer (Feb 06)
- CERT Advisory CA-98.04 - NT.WebServers Phillip R. Jaenke (Feb 06)
- Re: CERT Advisory CA-98.04 - NT.WebServers David LeBlanc (Feb 06)
- serious security hole in KDE Beta 3 Tudor Bosman (Feb 06)
- Re: Another ld-linux.so problem joost witteveen (Feb 07)
- Re: Another ld-linux.so problem Solar Designer (Feb 07)
- Re: Another ld-linux.so problem carson () tla org (Feb 07)
- Re: Another ld-linux.so problem Aleph One (Feb 08)
- www-sql cgi prog overrides .htaccess restrictions. Mr LEROY christophe (Feb 09)
- Re: www-sql cgi prog overrides .htaccess restrictions. Stunt Pope (Feb 09)
- SNI-24: IDS Vulnerabilities Secure Networks Inc. (Feb 09)
- AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
- Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
- CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Insecure temporary ibm-ers () ERS IBM COM (Feb 10)
- Re: Windows 95 Serv-U FTP bug tl (Feb 05)
- Re: Another ld-linux.so problem Roman Drahtmueller (Feb 08)