08.06.2011, 12:55, "Till Oliver Knoll" <[email protected]>: > That would mean there was NO way on Linux/Unix to make sure an executable is > picking up a lib from a well-defined location! And simply pointing > LD_LIBRARY_PATH to a malicious lib would open that lib instead of the proper > one (and maybe that lib would even inherit root access!). > > Setting LD_LIBRARY_PATH in your own start script would not help: I would > simply ignore your script and call the executable directly (or via my own > malicious script). >
Right - but Unix systems don't assume that user himself is a potential malefactor. So user certainly has a right to set LD_LIBRARY_PATH to desired value or call application directly (but no one knows what will happen than ;) On the other hand, malicious code may insert LD_LIBRARY_PATH into ~/.bash_profile, download some evil libs somewhere into deep hole of ~/.config (that's why I hate these newfangled "black holes" inside $HOME), and they can be accidentally used after the next shell login. > I am sure I am missing something here, so Captain Obvious please speak up :) There is a way to ensure that application loads libraries from certain locations: load them with dlopen. -- Regards, Konstantin _______________________________________________ Qt5-feedback mailing list [email protected] http://lists.qt.nokia.com/mailman/listinfo/qt5-feedback
