LD_PRELOAD used with setuid programs (was Re: Fakeroot security problem)

8 Feb 1998 22:23:13 -0000 

On Wed, Jan 28, 1998 at 11:52:45PM +0000, Mark Baker wrote:
> On Wed, Jan 28, 1998 at 11:46:46PM -0000, [EMAIL PROTECTED] wrote:
> > Fakeroot is not the only library in a privileged directory that should
> > not be run with a setuid executable by an unprivileged user.
> > Although I don't know of an exploit, my Electric Fence library has not
> > been audited for that kind of security. If there is a shared library for
> > Checker, it probably has the same status.
> 
> Do you think debian should, whatever the upstream author does, fix ld.so so
> this isn't possible (it would actually make the code simpler)? I can't think
> of any good reason not to, even if the security risk is negligible.

        Yes, both ld-linux.so.2 and ld-linux.so.1 should be fixed;
nobody should be able to run a setuid program in a LD_PRELOAD
environment.  At least, I can't find any reason to allow it, and many
people could use it to try to find exploits.

        The fix is very easy, both in libc6 and ld.so:

=================== patch for glibc_2.0.6-2 ==========================
--- elf/rtld.c. Sun Feb  8 22:55:45 1998
+++ elf/rtld.c  Sun Feb  8 22:57:02 1998
@@ -356,7 +356,7 @@
       char *list = strdupa (preloadlist);
       char *p;
       while ((p = strsep (&list, " ")) != NULL)
-       if (! __libc_enable_secure || strchr (p, '/') == NULL)
+       if (! __libc_enable_secure)
          {
            struct link_map *new_map = _dl_map_object (NULL, p, lt_library, 0);
            if (new_map->l_opencount == 1)
======================================================================

=================== patch for ld.so-1.9.6 ============================
--- d-link/boot1.c.     Mon Jul 21 21:45:35 1997
+++ d-link/boot1.c      Sun Feb  8 22:59:26 1998
@@ -561,7 +561,7 @@
          str2++;
        c = *str2;
        *str2 = '\0';
-       if (!_dl_secure || _dl_strchr(str, '/') == NULL) {
+       if (!_dl_secure) {
          tpnt1 = _dl_load_shared_library(NULL, str);
          if (!tpnt1) {
            if (_dl_trace_loaded_objects)
======================================================================

        Should I submit a bug report against these packages?

-- 
Juan Cespedes


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .

Reply via email to