OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1995: Re: Does the shared lib bug work on any suid program ?

Re: Does the shared lib bug work on any suid program ?

Gilles Soulet (Gilles.Souletcst.cnes.fr)
Mon, 6 Nov 1995 10:45:57 +0100 

At 17:18 03/11/1995 -0500, Fred Blonder wrote:
>        From: Bernd Lehle <Bernd.LehleRUS.Uni-Stuttgart.DE>
>
>        after all the fuzz about the telnet/shared lib stuff somebody
>        here came up with something that might be even more
>        interesting:
>
>        What woul hapen in the following case:
>
>        .
>
>        This game could be played with any suid program, where You know
>        what routines it calls.
>
>        Or am I missing something ?
>
>You're missing something.
>
>The dynamic linker won't pay attention to the LD_-whatever environment
>variables if a program is set-uid: (real and effective UIDs different).
>
>This is a problem with /bin/login only because it runs as "root"
>withOUT being set-uid; real and effective UIDs are the same.
>

Testing if (EUID != UID) before using env variables for dynamic
linking is obviously a good point. But what about testing
if EUID or UID equal to zero as well ? Indeed, there are
few situations where you want root to run a program with
custom library path : root has to be sure about the code it executes.

Root trusting "foreign" libraries isn't certainly a good thing, even
if on some systems, standard dynamic libraries belongs to "bin" in
vendor's configuration ;-)

At least, this will prevent us of taking care about trojaned library
path is root env...

   Gillus