From lee@nerds.org.uk  Mon Jun  2 09:16:09 2003
Return-Path: <lee@nerds.org.uk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DE94837B401; Mon,  2 Jun 2003 09:16:09 -0700 (PDT)
Received: from cybergimp.nerds.org.uk (nic.nerds.org.uk [195.172.124.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 68CB043FA3; Mon,  2 Jun 2003 09:16:08 -0700 (PDT)
	(envelope-from lee@nerds.org.uk)
Received: by cybergimp.nerds.org.uk (Postfix, from userid 1000)
	id 1B4F6D9037; Mon,  2 Jun 2003 17:16:07 +0100 (BST)
Message-Id: <20030602161606.GA26694@nerds.org.uk>
Date: Mon, 2 Jun 2003 17:16:07 +0100
From: Lee Brotherston <lee@nerds.org.uk>
To: David Schultz <das@FreeBSD.ORG>
Cc: freebsd-gnats-submit@FreeBSD.ORG
In-Reply-To: <20030601181850.GA946@HAL9000.homeunix.com>
Subject: Re: LD_LIBRARY_PATH security checks
References: <200207302036.g6UKamu9051791@www.freebsd.org> <20030601181850.GA946@HAL9000.homeunix.com>

>Number:         52869
>Category:       misc
>Synopsis:       Re: LD_LIBRARY_PATH security checks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 02 09:20:13 PDT 2003
>Closed-Date:    Mon Jun 02 16:02:29 PDT 2003
>Last-Modified:  Wed Aug 13 13:08:12 PDT 2003
>Originator:     Lee Brotherston
>Release:        
>Organization:
>Environment:
>Description:
 On Sun, Jun 01, 2003 at 11:18:50AM -0700, David Schultz wrote:
 > The passage you quote in the manual applies to ldconfig(8), not to
 > LD_LIBRARY_PATH.  There are no such checks for LD_LIBRARY_PATH for
 > root or otherwise.  ldconfig(8) makes the checks as documented.
 
 Sorry if I didn't explain what I meant there.  I realise that this
 pertains to ldconfig, I was trying to illustrate what checks were used
 elsewhere in the OS for shared libs.
 
 
 > Your proposal would add a large amount of overhead to program
 > execution time, and to what end?  If someone with root privileges
 > adds an untrusted directory to his LD_LIBRARY_PATH for some odd
 > reason, how are we to stop him?
 ...
 > The root user is implicitly trusted and has the privileges of all
 > the other users anyway, so you're ...um...preventing root from
 > breaking root.
 
 I see what you're saying (again I probably wasn't clear enough in what
 I meant).  I realise that compromising the LD_LIBRARY_PATH of root as
 root would accomplish nothing.  I was thinking more along the lines of
 a scenario whereby a user (admitedly in the wheel group for this
 example) has their account compromised and then su's to root.  During
 su'ing only USER, HOME & SHELL are modified and so the potentially
 tainted LD_LIBRARY_PATH is now used by root.  i.e. gaining access to
 the user account could potentially lead to escalating this to root.  
 
 I take on board your comments about increasing execution time, perhaps
 if this was a configurable/optional feature?
 
 
 > If you su to root from the account of an untrusted user, you're
 > asking for trouble anyway.  There are many documented cases of
 > people breaking root this way, and you don't even need to fiddle
 > with LD_LIBRARY_PATH.  The untrusted user just sets his PATH to
 > include a fake version of su(1) that records root's password,
 > prints ``Sorry'', and spawns the real su(1).  The correct thing to
 > do is to use su(1) only from trusted accounts.
 
 True, it was this sort of thinking that made me ponder this in the
 first place.  My thinking was that although this can be achieved as
 described, LD_LIBRARY_PATH is less checked than PATH and so is a little
 stealthier, maybe I'm wrong.
 
 I suspect that not implementing a security feature because there's
 already a similar, easier way to compromise the machine isn't the best
 reason not to do it ;)
 
 Seriously I understand what you're saying, I just thought I'd mention
 this as a potentially helpful feature.
 
 Thanks
 
   Lee
 
 -- 
 Lee Brotherston - <lee@nerds.org.uk>
 Jar Jar Binks Makes The Ewoks Look Like Shaft
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Mon Jun 2 16:00:02 PDT 2003 
State-Changed-Why:  
Misfiled followup to misc/41179. 

Lee, 

When replying to this thread, gnats is getting confused as David and 
yourself are replying to each other's private mails.  To avoid this 
happening in the future, could you please ensure that the Subject 
header is of the form "Re: misc/41179: LD_LIBRAR..."? 

Thanks! 



Responsible-Changed-From-To: gnats-admin->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Mon Jun 2 16:00:02 PDT 2003 
Responsible-Changed-Why:  
Take from gnats-admin. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52869 
>Unformatted:
