lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Oct 2010 20:43:01 +0200 (MET DST)
From: Pavel Kankovsky <>
Subject: Re: The GNU C library dynamic linker expands
 $ORIGIN in setuid library search path

On Mon, 18 Oct 2010, Tavis Ormandy wrote:

> LD_AUDIT is intended for use with the linker auditing api (see the
> rtld-audit manual), and has the usual restrictions for setuid programs
> as LD_PRELOAD does.



The only sensible restriction for LD_* environment variables (as well as
many other env. vars.) when a setuid or setgid program is executed is to
erase all traces of them at the first opportunity.

Those two or three guys who might ever need to execute a set*id program
with LD_PRELOAD or LD_AUDIT or whatever in order to do something other
than exploit a vulnerability are free to rebuild Glibc with
-DI_WANT_TO_PLAY_RUSSIAN_ROULETTE. Or perhaps it can be controlled by
a configuration file in /etc. But it is pretty silly to enable it for 
everyone and trade convenience for a very small minority of users
for extra risk for ALL users.

(To be honest, I would go as far as to propose to erase ANY environment
variable upon the execution of set*id program. At least unless it is
allowed EXPLICITLY.)


Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists