Bugtraq mailing list archives

Re: LD_ hole (was Re: IFS hole?)

From: smb () research att com (smb () research att com)
Date: Wed, 15 Dec 93 17:35:07 EST


        > From bugtraq-owner () crimelab crimelab com Tue Dec 14 23:51:50 1993

        > c) delete any environment varable that begins with LD_

         Most people have said this for obvious reasons, but the ld
         manpage says that will not search anything (for suid binaries)
        other than the trusted paths for dynamically linked libraries
        even if LD_LIBRARY_PATH is set. Is this statement false? Is
        there a way around it? Is LD_PRELOAD_PATH documented anywhere?
        :-)

There was a bug a while back involving this.  Yes, the loader won't
honor LD_LIBRARY_PATH if it detects that it's running setuid.  But
some programs -- like login -- do a setuid(geteuid()), and then exec
something else.  That program *isn't* setuid -- and if LD_LIBRARY_PATH
is in the environment, it will be honored...

Saying ``delete any environment varable that begins with LD_'' is
exactly the wrong approach.  Rather, you should wipe out the environment,
and only create what you know you need.  You don't *know* what else
is dangerous, either today or 5 years from today, when your vendor
has released the next ``enhancement''.

Current thread:

LD_ hole (was Re: IFS hole?) Michael Neuman (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) smb () research att com (Dec 15)
- Re: LD_ hole (was Re: IFS hole?) Rik Harris (Dec 15)
- The LD_* vars (was Re: LD_ hole) Justin Mason (Dec 16)
- <Possible follow-ups>
- Re: LD_ hole (was Re: IFS hole?) Howie Kaye (Dec 15)