Louis Granboulan wrote:
> However, it is quite clear to me that the current behaviour is
> inconsistent and is the reason of this security flaw. We see $ ls -l
> /proc/self/fd/3 pretend that it is a symbolic link to a file that does not
> exist, and $ ls -lL /proc/self/fd/3 show a setuid file.
>
Am I the only one that thinks that the problem is in the way that Linux
defines the semantics of /proc/nnn/fd/n ?
I only think of three sensible ways of doing it.
One could follow exactly what is in the man page, and /proc/nnn/fd/n are
symbolic links to actual files.
Then, if the file is deleted o
Hanno Böck wrote:
> Am Monday 18 October 2010 schrieb Tavis Ormandy:
> > # Open a file descriptor to the target binary (note: some users are
> > surprised # to learn exec can be used to manipulate the redirections of
> > the current # shell if a command is not specified. This is what is
> > happe
On Mon, 18 Oct 2010, Marsh Ray wrote:
> > Those two or three guys who might ever need to execute a set*id program
> The problem is that one of those guys writes the Makefile and the other
> two are distro maintainers.
It does not mean they are entitled to ram it down everyone's throat. :P
> > -
Am Monday 18 October 2010 schrieb Tavis Ormandy:
> # Open a file descriptor to the target binary (note: some users are
> surprised # to learn exec can be used to manipulate the redirections of
> the current # shell if a command is not specified. This is what is
> happening below).
> $ exec 3< /tmp
On 10/18/2010 01:43 PM, Pavel Kankovsky wrote:
>
> The only sensible restriction for LD_* environment variables (as well as
> many other env. vars.) when a setuid or setgid program is executed is to
> erase all traces of them at the first opportunity.
>
> Those two or three guys who might ever nee
On Mon, 18 Oct 2010, Tavis Ormandy wrote:
> LD_AUDIT is intended for use with the linker auditing api (see the
> rtld-audit manual), and has the usual restrictions for setuid programs
> as LD_PRELOAD does.
*facepalm*
The only sensible restriction for LD_* environment variables (as well as
many
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
--
Gruezi, This is CVE-2010-3847.
The dynamic linker (or dynamic loader) is responsible for the runtime linking of
dynamically linked programs