Bugtraq mailing list archives
Re: LD_ hole (was Re: IFS hole?)
From: smb () research att com (smb () research att com)
Date: Wed, 15 Dec 93 17:35:07 EST
> From bugtraq-owner () crimelab crimelab com Tue Dec 14 23:51:50 1993 > c) delete any environment varable that begins with LD_ Most people have said this for obvious reasons, but the ld manpage says that will not search anything (for suid binaries) other than the trusted paths for dynamically linked libraries even if LD_LIBRARY_PATH is set. Is this statement false? Is there a way around it? Is LD_PRELOAD_PATH documented anywhere? :-) There was a bug a while back involving this. Yes, the loader won't honor LD_LIBRARY_PATH if it detects that it's running setuid. But some programs -- like login -- do a setuid(geteuid()), and then exec something else. That program *isn't* setuid -- and if LD_LIBRARY_PATH is in the environment, it will be honored... Saying ``delete any environment varable that begins with LD_'' is exactly the wrong approach. Rather, you should wipe out the environment, and only create what you know you need. You don't *know* what else is dangerous, either today or 5 years from today, when your vendor has released the next ``enhancement''.
Current thread:
- LD_ hole (was Re: IFS hole?) Michael Neuman (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) smb () research att com (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) Rik Harris (Dec 15)
- The LD_* vars (was Re: LD_ hole) Justin Mason (Dec 16)
- <Possible follow-ups>
- Re: LD_ hole (was Re: IFS hole?) Howie Kaye (Dec 15)