Home page logo

bugtraq logo Bugtraq mailing list archives

Re: LD_ hole (was Re: IFS hole?)
From: rik () vifp monash edu au (Rik Harris)
Date: Thu, 16 Dec 1993 14:14:01 +1100

Michael Neuman <mcn () c3serve c3 lanl gov> wrote:

c) delete any environment varable that begins with LD_

  Most people have said this for obvious reasons, but the ld manpage says
that will not search anything (for suid binaries) other than the trusted
paths for dynamically linked libraries even if LD_LIBRARY_PATH is set. Is
this statement false? Is there a way around it? Is LD_PRELOAD_PATH documented
anywhere? :-)

The problem is when that suid program calls any other program, keeping
privileges, the LD_* variables _are_ used.  ld.so will ignore LD_* if
the effective uid is not equal to the real uid.

Rik Harris - rik.harris () vifp monash edu au              || Systems Programmer
+61 3 560-3265 (AH) +61 3 565-3227 (BH)                 || and Administrator
Fac. of Computing & Info.Tech., Monash Uni, Australia   || Vic. Institute of
http://www.vifp.monash.edu.au/people/rik.html           || Forensic Pathology

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]