[451] in linux-security and linux-alert archive
linux a.out ld.so problem
daemon@ATHENA.MIT.EDU (medulla)
Mon Nov 6 15:34:12 1995
Date: Mon, 6 Nov 1995 06:11:30 -0500 (EST)
From: medulla <medulla@infosoc.com>
To: linux-security@tarsier.cv.nrao.edu
While I was playing around with the telnetd hole, I noticed something
terribly wrong with a.out systems (elf is fine in my test). It seems that
even if a program is suid or sgid, that the LD_LIBRARY_PATH is still being
used, so setting login g+s will have no effect (and more worrisome is that
any suid program can be abused to get root). Here is a example, am I missing
something obvious? The ld.so man page clearly says the variable(s) are
ignored when the app is suid or sgid, but this doesnt appear to be the case.
--- snip
hfpa:~# cp /lib/libc.so.4 /tmp
hfpa:~# cp /bin/ls .
hfpa:~# chmod g+s ls
hfpa:~# strace -o ls.1 ./ls
<snipped dir list>
hfpa:~# grep /tmp ls.1
hfpa:~# setenv LD_LIBRARY_PATH /tmp
hfpa:~# strace -o ls.2 ./ls
<snipped dir list>
hfpa:~# grep /tmp ls.2
uselib("/tmp/libc.so.4") = 0
--- snip
