Hi Giancarlo, Maybe I'm totally wrong here:
2014-02-17 20:20 GMT+01:00 Theo de Raadt <dera...@cvs.openbsd.org>: >>2014-02-16 23:36 GMT+01:00 Frank Brodbeck <f...@guug.de>: >>> I am not sure what point it is you are trying to make but: >>> >>> $ LD_PRELOAD=./id0 sh >>> \u@\h:\w\n$ id -un >>> root >>> \u@\h:\w\n$ less /etc/master.passwd >>> /etc/master.passwd: Permission denied >>> \u@\h:\w\n$ ls -l /etc/master.passwd >>> -rw------- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd >>> \u@\h:\w\n$ >> >>again: >> >>--- >>Nothing (it's safe to self-test, so have fun). id (or whoami) think >>that calls functions from libc, but it really calls functions that are >>loaded by LD_PRELOAD. These fake functions return 0, so id (whoami) >>think that you are root. >>--- >> >>This means that you don't have root access (or uid 0), but id (whoami) >>think that you are root (uid 0). If you put something more dangerous >>in a function such as readpassphrase(), you can e.g. capture the >>passwords etc. This example shows that using LD_PRELOAD you can inject >>your own code on OpenBSD. >> >>I hope that now it is more understandable. > > This is a complete joke; you are failing to explain it properly to > people. > > The above is no different from copying the "id" binary to a new place, > then hand-editing the binary to return 0 deep inside it, then running > this new copy. Whoohoo! Terrible risk! Modified code lied to me! > > There is no risk such as readpassphrase(). You are running the code > you intend to, and noone has fooled anyone. yes, it is not possible to pledge a trap for user using LD_PRELOAD. hmm... definitely I'm wrong! but I have another example: --- cat fake.c --- #define print(s) write(1, (s), sizeof(s) - 1) int getuid() { return 32767; } int geteuid() { print("hello from fake geteuid()!\n"); print("you're "); return 32767; } --- end cat --- # shell (as normal user): cc -shared fake.c -o fake LD_PRELOAD=./fake ksh and type: whoami As you can see, this is not possible to inject any code in "whoami". So we can sleep well. It doesn't work on OpenBSD ;] Stay secure, Daniel