| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Oct 2010 20:43:01 +0200 (MET DST) From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz> To: full-disclosure@...ts.grok.org.uk Subject: Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path On Mon, 18 Oct 2010, Tavis Ormandy wrote: > LD_AUDIT is intended for use with the linker auditing api (see the > rtld-audit manual), and has the usual restrictions for setuid programs > as LD_PRELOAD does. *facepalm* <rant> The only sensible restriction for LD_* environment variables (as well as many other env. vars.) when a setuid or setgid program is executed is to erase all traces of them at the first opportunity. Those two or three guys who might ever need to execute a set*id program with LD_PRELOAD or LD_AUDIT or whatever in order to do something other than exploit a vulnerability are free to rebuild Glibc with -DI_WANT_TO_PLAY_RUSSIAN_ROULETTE. Or perhaps it can be controlled by a configuration file in /etc. But it is pretty silly to enable it for everyone and trade convenience for a very small minority of users for extra risk for ALL users. (To be honest, I would go as far as to propose to erase ANY environment variable upon the execution of set*id program. At least unless it is allowed EXPLICITLY.) </rant> -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21st century edition / _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists