Nobody should be able to run LD_PRELOAD with suid binaries. The issue with nfslock can be solved differently as Joost has said. And being able to set LD_PRELOAD on one machine and then rsh to exec a command on another (and the other machine obeys the LD_PRELOAD!) seems to be another reason to disable LD_PRELOAD. That raises a lot of security issues. If nobody else will do it then I will upload a version that fixes the hole.
On 9 Feb 1998, James Troup wrote: > Juan Cespedes <[EMAIL PROTECTED]> writes: > > > Yes, both ld-linux.so.2 and ld-linux.so.1 should be fixed; nobody > > should be able to run a setuid program in a LD_PRELOAD environment. > > At least, I can't find any reason to allow it, and many people could > > use it to try to find exploits. > > But there _are_ reasons to do allow it (see below, and also add > libnfslock to the list). If there weren't any someone would have > presented these patches much earlier. > > ------- Start of forwarded message ------- > Message-ID: <[EMAIL PROTECTED]> > Date: Sun, 8 Feb 1998 15:39:10 -0600 > Reply-To: Aleph One <[EMAIL PROTECTED]> > From: Aleph One <[EMAIL PROTECTED]> > Subject: Re: Another ld-linux.so problem > To: [EMAIL PROTECTED] > > On Sat, 7 Feb 1998 [EMAIL PROTECTED] wrote: > > > Yes. SOCKSifying stupid protocols that require binding ports <1024, for > > example. Assuming you install libsocks5_sh.so in /usr/lib, you can do: > > > > $ (export LD_PRELOAD=/usr/lib/libsocks5_sh.so; rsh machine.outside.firewall > > pwd) > > > > and have it work. This is basically what the runsocks script does. > > Another example: installing a library that overides mktemp, tempnam and > other dangerous library functions with more secure ones. So the feature > is indeed useful. The correct behavior should be for the dynamic linker > to give up at the first error. Alternatively you should be able to > configure such libraries via the configuration file instead of an > environment variable. You cant do so now as far as I can tell. > > > -- > > Carson Gaspar -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > > http://www.cs.columbia.edu/~carson/home.html > > Queen Trapped in a Butch Body > > > > Aleph One / [EMAIL PROTECTED] > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 > > ------- End of forwarded message ------- > > -- > James > > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . > > > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
