[2399] in bugtraq
Re: Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (Mark D Riggins)
Mon Nov 13 11:09:20 1995
Date: Fri, 10 Nov 1995 12:54:12 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Mark D Riggins <mdr@vodka.sse.att.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199511060945.KAA00352@imhotep.cst.cnes.fr> from "Gilles Soulet"
at Nov 6, 95 10:45:57 am
Gillus writes:
> Testing if (EUID != UID) before using env variables for dynamic
> linking is obviously a good point. But what about testing
> if EUID or UID equal to zero as well ? Indeed, there are
> few situations where you want root to run a program with
> custom library path : root has to be sure about the code it executes.
>
> Root trusting "foreign" libraries isn't certainly a good thing, even
> if on some systems, standard dynamic libraries belongs to "bin" in
> vendor's configuration ;-)
>
> At least, this will prevent us of taking care about trojaned library
> path is root env...
>
> Gillus
Good point, I'd prefer that root limit its search path to trusted
directories like /usr/lib, /etc/lib, /usr/securelibs etc.
It could do that without totally ignoring LD_LIBRARY_PATH, which is an
otherwise useful feature.
Setting LD_RUN_PATH at compile time can cause the run time linker to
give precedence to these secure directories, but it does not limit
the search to these and only these directories
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
