Date: Tue, 23 Jul 2002 14:57:19 +0100 From: Lee Brotherston <lee@nerds.org.uk> To: hackers@freebsd.org Subject: LD_LIBRARY_PATH security checks Message-ID: <20020723135719.GA68246@nerds.org.uk>
next in thread | raw e-mail | index | archive | help
--FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Something that has occured to me is something I precieve to be a problem with the security features of LD_LIBRARY_PATH, and I was after any (helpful) comments ;) A couple of things mentioned in ldconfig(8): "Special care must be taken when loading shared libraries into the address space of set-user-Id programs. Whenever such a program is run, the dynamic linker will only load shared libraries from the hints file. In particular, the LD_LIBRARY_PATH is not used to search for libraries." This is not always the case, this does not appear to apply to root. This may be me being perdantic, but I think that this should be mentioned in the man pages if it is an intended feature. "For security reasons, directories which are world or group-writable or which are not owned by root produce warning messages and are skipped, unless the -i option is present." Now this actually with regards to using ldconfig not LD_LIBRARY_PATH, but I think illustrates something that I think should be considered in a minute... Currently root can, by using LD_LIBRARY_PATH, use alternative libraries which are not owned by root, are world writable, in a world writable directory, for a setuid binary: # echo $LD_LIBRARY_PATH /var/tmp # ldd /usr/bin/passwd /usr/bin/passwd: libcrypt.so.2 =3D> /var/tmp/libcrypt.so.2 (0x2806a000) librpcsvc.so.2 =3D> /usr/lib/librpcsvc.so.2 (0x28083000) libutil.so.3 =3D> /usr/lib/libutil.so.3 (0x2808b000) libc.so.4 =3D> /usr/lib/libc.so.4 (0x28094000) # ls -al /var/tmp/libcrypt.so.2=20 -rw-rw-rw- 1 nobody nobody 28588 Jul 23 14:31 /var/tmp/libcrypt.so.2 My reason for objecting to this is that I think this makes it too easy to escalate privilages once a wheel account is compromised. By placing alternative libraries in an existing LD_LIBRARY_PATH directory (permissions permitting) or by adding one to the users profile and waiting for them to su (from su(1) "By default, the environment is unmodified with the exception of USER, HOME, and SHELL.") then they can execute code which uses a malicious shared library without realising it. You could argue that if a machine is compromised to this point already an attacker could modify the PATH variable to similar ends, but I think that this is less noticable to a novice admin (this feature is not mentioned in the man pages) and could be avoided easily... Is there any reason that when root loads libraries (particularly on setuid applications) via LD_LIBRARY_PATH that the same checks be applied that are used with ldconfig, that being ownership and world/group writability? I might we way off on this one, but I'd be interested to hear what people have to say. Thanks, and sorry for the long rambly mail ;) Lee --=20 Lee Brotherston - <lee@nerds.org.uk> http://www.nerds.org.uk - "Use the source Luke" --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9PWC/0KIGoG3QeWwRAnTgAKCyflfJHmfBUpQD8hrf+feNmXfyqACdHVZ2 50z7YrDvVwIJzjImeCTjqN8= =th2T -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020723135719.GA68246>