[2382] in bugtraq
Re: Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (Darren Reed)
Thu Nov 9 13:36:50 1995
Date: Fri, 10 Nov 1995 00:32:51 +1100
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
From: Darren Reed <avalon@coombs.anu.edu.au>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
In-Reply-To: <9511080920.AA13079@aft-ms.Holland.Sun.COM> from "Casper Dik" at
Nov 8, 95 10:20:17 am
In some mail from Casper Dik, sie said:
>
> >Testing if (EUID != UID) before using env variables for dynamic
> >linking is obviously a good point. But what about testing
> >if EUID or UID equal to zero as well ? Indeed, there are
> >few situations where you want root to run a program with
> >custom library path : root has to be sure about the code it executes.
>
> Too many people install broken software and want to run it
> as root (broken == requires LD_LIBRARY_PATH to be set).
[...]
A good way around this is installing "extra" shared libraries in another
directory (not /usr/lib) and in your rc files, change ldconfig to be
something like:
ldconfig /usr/lib /usr/openwin/lib /usr/X11/lib /usr/local/lib
or
ldconfig /usr/lib /opt/lib
etc.
darren
