[16947] in bugtraq
Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
daemon@ATHENA.MIT.EDU (Robert Bihlmeyer)
Thu Sep 28 13:24:28 2000
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="----------=_970156707-749-0";
micalg="pgp-sha1"; protocol="application/pgp-signature"
Message-Id: <87em241pb0.fsf@hoss.orcus.priv.at>
Date: Thu, 28 Sep 2000 17:58:27 +0200
Reply-To: Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
From: Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
X-To: "Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: "Dwayne C . Litzenberger"'s message of "Tue, 26 Sep 2000 17:52:14
-0600"
This is a multi-part message in MIME format.
It has been signed conforming to RFC2015.
You'll need PGP or GPG to check the signature.
------------=_970156707-749-0
Content-Type: text/plain; charset=us-ascii
"Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM> writes:
> On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:
> > Hi,
> > ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> > when running suid. If program calls setuid(0) and then fork(), child
> > process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> > overwrites any file in system.
>
> When I run the suid program, LD_DEBUG still works (odd, but true), but
> LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal).
The problem is not the suid program, but another program exec'd by the
suid program with uid==euid. In this case the glibc security checks
are off and the inherited LD_DEBUG_OUTPUT is again used.
--
Robbe
------------=_970156707-749-0
Content-Type: application/pgp-signature; name="signature.ng"
Content-Disposition: inline; filename="signature.ng"
Content-Transfer-Encoding: base64
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcg
djEuMC4zIChHTlUvTGludXgpCkNvbW1lbnQ6IEZvciBpbmZvIHNlZSBodHRw
Oi8vd3d3LmdudXBnLm9yZwoKaUQ4REJRRTUwMnFvMzNLY3V1WllQdnNSQWx2
VEFKOWlUY0dlNWhXWUVYRkFxMm80bE9QR3gwY1U4UUNmVUdIeApkV1ZoTmNR
UFZEb1JLZXNyVk1iMFhWTT0KPUpQbkMKLS0tLS1FTkQgUEdQIFNJR05BVFVS
RS0tLS0tCg==
------------=_970156707-749-0--
