mailing list archives
Re: LD_ hole (was Re: IFS hole?)
From: smb () research att com (smb () research att com)
Date: Wed, 15 Dec 93 17:35:07 EST
> From bugtraq-owner () crimelab crimelab com Tue Dec 14 23:51:50 1993
> c) delete any environment varable that begins with LD_
Most people have said this for obvious reasons, but the ld
manpage says that will not search anything (for suid binaries)
other than the trusted paths for dynamically linked libraries
even if LD_LIBRARY_PATH is set. Is this statement false? Is
there a way around it? Is LD_PRELOAD_PATH documented anywhere?
There was a bug a while back involving this. Yes, the loader won't
honor LD_LIBRARY_PATH if it detects that it's running setuid. But
some programs -- like login -- do a setuid(geteuid()), and then exec
something else. That program *isn't* setuid -- and if LD_LIBRARY_PATH
is in the environment, it will be honored...
Saying ``delete any environment varable that begins with LD_'' is
exactly the wrong approach. Rather, you should wipe out the environment,
and only create what you know you need. You don't *know* what else
is dangerous, either today or 5 years from today, when your vendor
has released the next ``enhancement''.