Bugtraq mailing list archives
Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
From: Robert Bihlmeyer <robbe () ORCUS PRIV AT>
Date: Thu, 28 Sep 2000 17:58:27 +0200
"Dwayne C . Litzenberger" <dlitz () CHEERFUL COM> writes:
On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:Hi, ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG when running suid. If program calls setuid(0) and then fork(), child process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and overwrites any file in system.When I run the suid program, LD_DEBUG still works (odd, but true), but LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal).
The problem is not the suid program, but another program exec'd by the suid program with uid==euid. In this case the glibc security checks are off and the inherited LD_DEBUG_OUTPUT is again used. -- Robbe
Attachment:
signature.ng
Description:
Current thread:
- ld.so bug - LD_DEBUG_OUTPUT follows symlinks Jakub Vlasek (Sep 26)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Dwayne C . Litzenberger (Sep 27)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Jakub Vlasek (Sep 27)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Michal Zalewski (Sep 28)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Robert Bihlmeyer (Sep 28)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Jakub Vlasek (Sep 27)
- Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks Dwayne C . Litzenberger (Sep 27)