[1364] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Buffer overflow in Linux's login program

daemon@ATHENA.MIT.EDU (Wietse Venema)
Mon Dec 23 14:16:06 1996

From: wietse@porcupine.org (Wietse Venema)
To: linux-security@redhat.com
Date: Mon, 23 Dec 1996 13:37:37 -0500 (EST)
In-Reply-To: <m0vcEvt-00024xC%kro.amtp.cam.ac.uk@damtp.cam.ac.uk> from "Jon Peatfield" at Dec 23, 96 06:17:00 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

> [Mod: Just remeber that while by itself suid but does not do much for login,
> it tells ld.so to ignore LD_ variables which can be used to supply a fake
> libc -- alex]

On many systems, ld.so will ignore LD_ variables only when effecive
uid != real uid. In other words,  ld.so does not care if the binary
is set-uid or not, it only looks at the rights of its process.

	Wietse


home help back first fref pref prev next nref lref last post