Bugtraq mailing list archives

Re: LD_ hole (was Re: IFS hole?)

From: rik () vifp monash edu au (Rik Harris)
Date: Thu, 16 Dec 1993 14:14:01 +1100


Michael Neuman <mcn () c3serve c3 lanl gov> wrote:

c) delete any environment varable that begins with LD_


  Most people have said this for obvious reasons, but the ld manpage says
that will not search anything (for suid binaries) other than the trusted
paths for dynamically linked libraries even if LD_LIBRARY_PATH is set. Is
this statement false? Is there a way around it? Is LD_PRELOAD_PATH documented
anywhere? :-)


The problem is when that suid program calls any other program, keeping
privileges, the LD_* variables _are_ used.  ld.so will ignore LD_* if
the effective uid is not equal to the real uid.

rik.
--
Rik Harris - rik.harris () vifp monash edu au              || Systems Programmer
+61 3 560-3265 (AH) +61 3 565-3227 (BH)                 || and Administrator
Fac. of Computing & Info.Tech., Monash Uni, Australia   || Vic. Institute of
http://www.vifp.monash.edu.au/people/rik.html           || Forensic Pathology

Current thread:

LD_ hole (was Re: IFS hole?) Michael Neuman (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) smb () research att com (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) Rik Harris (Dec 15)
- The LD_* vars (was Re: LD_ hole) Justin Mason (Dec 16)
- <Possible follow-ups>
- Re: LD_ hole (was Re: IFS hole?) Howie Kaye (Dec 15)