[2356] in bugtraq
Re: Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Nov 4 16:15:20 1995
Date: Fri, 3 Nov 1995 22:24:58 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
X-To: bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
>> [...dynamic loaders vs setuid programs...]
>> Or am I missing something ?
> FreeBSD does this in ld.so:
> /* Get user and group identifiers */
> uid = getuid(); euid = geteuid();
> gid = getgid(); egid = getegid();
> careful = (uid != euid) || (gid != egid);
> if (careful) {
> unsetenv("LD_LIBRARY_PATH");
> unsetenv("LD_PRELOAD");
> }
> This works unless the suid program is run with root as the real user
> as is the case for telnetd.
Or the variable exists multiple times in the environment and unsetenv()
isn't careful to get them all. Didn't we just recently hear about a
loadmodule patch that didn't work because it did something like this
with IFS, only it _didn't_ take care to get all of them?
der Mouse
mouse@collatz.mcrcim.mcgill.edu
