[468] in linux-security and linux-alert archive
Re: ld.so gaping hole.
daemon@ATHENA.MIT.EDU (Joshua Cowan)
Wed Nov 8 17:05:39 1995
Date: Mon, 6 Nov 1995 21:52:33 -0600
From: Joshua Cowan <jcowan@jcowan.reslife.okstate.edu>
To: SysAdmin - TNET Systems <root@TNET.portage.net>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.951106070312.477B-100000@TNET.portage.net>
>>>>> "Chad" == SysAdmin <- TNET Systems <root@TNET.portage.net>> writes:
Chad> the telnetd hole was minor, because anyone could use the
Chad> LD_LIBRARY_PATH and LD_PRELOAD to get root with just about
Chad> anything. patching login, telnetd, ect ect is not going to
Chad> fix this problem.
Uh, no. And yes, patching `telnetd' (or statically linking `login',
or using a wrapper) will fix this problem.
Chad> LD_PRELOAD, LD_LIBRARY_PATH are really not needed. If you
Although I agree that many utilities are at least somewhat subject to
creeping featurism, I would have to disagree with this one. If you
want to test a dynamically-linked binary without installing the
dynamic-lib (and you don't want to use `-rpath'), then this becomes
very useful.
Chad> are going to use them, rename them, hash the names up in the
Chad> ld.so binary (evade strings), or use some sort of protocol
Chad> for specifying them.
You may as well disable them altogether if you are going to do this.
Besides, this is not virus code we are dealing with and we don't need
really to ``hide'' the variables values from anyone.
Chad> For example, modify the ld.so.c file to search for a special
Chad> char, of your choosing, in the environment variables. If
Chad> not present, ignore the variables.
Again, this is (IMHO) pointless --- you may as well remove the
features altogether. It is very conceivable that other users on the
system may have need for these features, in which case doing this
would only make your job more difficult.
Chad> So not only to you get to save disk space (although nominal)
Chad> over adding patches, or wrappers... you get an even much
Chad> more securer system.
Well, I'd have to agree that it _is_ more secure, although I don't
know how much. I personally think that the features are worth what
little trouble they cause.
Chad> (not counting the fact that I had gotten previously the
Chad> source to an ELF ld.so when I am a.out :/ 1.7.3 is elf, and
Chad> elf only. For a.out users, use 1.5.3)
1.7.10 is for ELF _and_ a.out. If you are going to ``upgrade''
`ld.so', use this one.
--
Joshua Cowan <jcowan@hermit.reslife.okstate.edu> __| I don't want to listen
http://hermit.reslife.okstate.edu/~jcowan | but it's all too clear...
Computer Engineering Student -- Oklahoma State University -- Stillwater, OK
PGP key available from any PGP keyserver or by fingering the above address.
