Re: LD_ hole (was Re: IFS hole?)

Rik Harris (rik@vifp.monash.edu.au)
Thu, 16 Dec 1993 14:14:01 +1100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Graff: "Re: Sun's security mailing lists"
Previous message: Wes Morgan: "Sun's security mailing lists"
In reply to: Michael Neuman: "LD_ hole (was Re: IFS hole?)"

Michael Neuman <mcn@c3serve.c3.lanl.gov> wrote:
>
> > c) delete any environment varable that begins with LD_
>
>   Most people have said this for obvious reasons, but the ld manpage says
> that will not search anything (for suid binaries) other than the trusted
> paths for dynamically linked libraries even if LD_LIBRARY_PATH is set. Is
> this statement false? Is there a way around it? Is LD_PRELOAD_PATH documented
> anywhere? :-)

The problem is when that suid program calls any other program, keeping
privileges, the LD_* variables _are_ used.  ld.so will ignore LD_* if
the effective uid is not equal to the real uid.

rik.
--
Rik Harris - rik.harris@vifp.monash.edu.au              || Systems Programmer
+61 3 560-3265 (AH) +61 3 565-3227 (BH)                 || and Administrator
Fac. of Computing & Info.Tech., Monash Uni, Australia   || Vic. Institute of
http://www.vifp.monash.edu.au/people/rik.htm           || Forensic Pathology

Next message: Mark Graff: "Re: Sun's security mailing lists"
Previous message: Wes Morgan: "Sun's security mailing lists"
In reply to: Michael Neuman: "LD_ hole (was Re: IFS hole?)"