On Sun, 3 Nov 2002, Robert Watson wrote:

> On Sun, 3 Nov 2002, Miguel Mendez wrote:
> > > 2) Security.  Can LD_LIBRARY_PATH (or other mechanisms)
> > >     be used to deliberately subvert any of these programs?
> > >     (especially the handful of suid/sgid programs here)
> > ..
> > 
> > I can't come up right now with an idea of how exploiting LD_LIBRARY_PATH
> > could be useful with any of these, but the possibility exists. OTOH, the
> > recently added priviledge elevation feature should make it possible to
> > have *no* setuid programs on a system, and have the kernel elevate
> > priviledges for certain syscalls, based on the policy created by
> > systrace. 
> LD_LIBRARY_PATH is disabled for setuid binaries -- the kernel sets the
> P_ISSETUGID flag, which is exported to userspace by issetugid(), which is
> in turn checked by the rtld, which will refuse to observe that
> environmental variable (and a number of others) as a result.  We have
> plenty of dynamically linked setuid binaires in the system already, and
> it's not a problem. 

Due to sucky latency, I didn't realize y fingers had typed the constant
there incorrectly, that should read P_SUGID.  That same protection also
prevents debugging of processes following privilege downgrade, amongst
other things.

On the systrace issue -- I have lasting concerns about the race conditions
present in fine-grained SMP and threaded systems, such as FreeBSD 5, or
present in systems providing Linux clone() emulation.  Neils has addressed
some but not all of these concerns; until they are fully addressed, the
race conditions there will remain a serious problem.  When the scheduler
activation work hits the main NetBSD tree, I would expect similar

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
[EMAIL PROTECTED]      Network Associates Laboratories

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to