[16929] in bugtraq
Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
daemon@ATHENA.MIT.EDU (Jakub Vlasek)
Wed Sep 27 13:25:51 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10009271148580.22869-100000@kronos>
Date: Wed, 27 Sep 2000 12:36:28 +0200
Reply-To: Jakub Vlasek <jv@PILSEDU.CZ>
From: Jakub Vlasek <jv@PILSEDU.CZ>
X-To: "Dwayne C . Litzenberger" <dlitz@cheerful.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000926175214.A2815@zed.dcl>
On Tue, 26 Sep 2000, Dwayne C . Litzenberger wrote:
> On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:
> > Hi,
> > ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> > when running suid. If program calls setuid(0) and then fork(), child
> > process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> > overwrites any file in system.
>
> I could not reproduce this.
>
> When I run the suid program, LD_DEBUG still works (odd, but true), but
> LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal). What
> version of glibc2 were you using? (I am using Debian libc6 (a.k.a. glibc2)
> version 2.1.3-10.)
>
> --
> Dwayne C. Litzenberger - dlitz@cheerful.com
[jv] ~/x export LD_DEBUG=libs LD_DEBUG_OUTPUT=/home/jv/x/debug
[jv] ~/x ls -l
-rw-rw-r-- 1 jv jv 308 Sep 27 11:40 debug.22810
[jv] ~/x su
(LD_DEBUG_OUTPUT ignored, data written to terminal)
Password:
[root] /home/jv/x ls -l
-rw-rw-r-- 1 jv jv 308 Sep 27 11:40 debug.22810
-rw-rw-r-- 1 root root 1850 Sep 27 11:41 debug.22812
-rw-r--r-- 1 root root 374 Sep 27 11:41 debug.22819
-rw-r--r-- 1 root root 308 Sep 27 11:41 debug.22820 <- can
be symlink
I'm using glibc-2.1.3-10 on debian.
JV
