I enquired about LD_PRELOAD on the [email protected] list (for those who don't
know, OpenBSD is a variant of BSD which specialises in security and
multi-platform support). I obtained the following response.
David Scott
-----------------------------------------------------------------------------
On Wed, Feb 11, 1998 at 12:10:03PM +0000, David Scott +44 1383 821921 wrote:
> I have been half following a discussion on debian-sparc list concerning
whether
> or not normal users should be allowed to influence which libraries a setuid
> program is loaded with. The question arose as to whether allowing LD_PRELOAD
to
> work on setuid binaries is a standard 'Unix' practice. Does anybody feel like
> answering this question for the case of OpenBSD? I am willing to forward the
> reply.
Definitely NOT standard... or else, use the following code fragment:
int getuid()
{
return whatever;
}
int geteuid()
{
return whatever;
}
makes it rather easy to impersonate someone, doesn't it ?
If you allow LD_PRELOAD, you effectively make it impossible to use ANY library
call from a setuid program, while suid'ed.
--
Marc Espie
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
