[2367] in bugtraq
Re: Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (Gilles Soulet)
Wed Nov 8 03:26:42 1995
Date: Mon, 6 Nov 1995 10:45:57 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Gilles Soulet <Gilles.Soulet@cst.cnes.fr>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
At 17:18 03/11/1995 -0500, Fred Blonder wrote:
> From: Bernd Lehle <Bernd.Lehle@RUS.Uni-Stuttgart.DE>
>
> after all the fuzz about the telnet/shared lib stuff somebody
> here came up with something that might be even more
> interesting:
>
> What woul hapen in the following case:
>
> .
>
> This game could be played with any suid program, where You know
> what routines it calls.
>
> Or am I missing something ?
>
>You're missing something.
>
>The dynamic linker won't pay attention to the LD_-whatever environment
>variables if a program is set-uid: (real and effective UIDs different).
>
>This is a problem with /bin/login only because it runs as "root"
>withOUT being set-uid; real and effective UIDs are the same.
>
Testing if (EUID != UID) before using env variables for dynamic
linking is obviously a good point. But what about testing
if EUID or UID equal to zero as well ? Indeed, there are
few situations where you want root to run a program with
custom library path : root has to be sure about the code it executes.
Root trusting "foreign" libraries isn't certainly a good thing, even
if on some systems, standard dynamic libraries belongs to "bin" in
vendor's configuration ;-)
At least, this will prevent us of taking care about trojaned library
path is root env...
Gillus
