From owner-freebsd-hackers Mon Oct 23 22:01:26 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id WAA08518 for hackers-outgoing; Mon, 23 Oct 1995 22:01:26 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id WAA08491 for ; Mon, 23 Oct 1995 22:01:18 -0700 Received: by sequent.kiae.su id AA20434 (5.65.kiae-2 ); Tue, 24 Oct 1995 08:50:08 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Tue, 24 Oct 95 08:50:07 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.11/8.6.9) id HAA01075; Tue, 24 Oct 1995 07:45:13 +0300 To: Nate Williams Cc: ache@freefall.freebsd.org, freebsd-hackers@freebsd.org References: <199510232318.RAA24039@rocky.sri.MT.net> <199510240010.SAA24195@rocky.sri.MT.net> <199510240233.UAA24556@rocky.sri.MT.net> <199510240419.WAA24802@rocky.sri.MT.net> In-Reply-To: <199510240419.WAA24802@rocky.sri.MT.net>; from Nate Williams at Mon, 23 Oct 1995 22:19:14 -0600 Message-Id: Organization: Olahm Ha-Yetzirah Date: Tue, 24 Oct 1995 07:45:13 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: ld.so, LD_NOSTD_PATH, and suid/sgid programs Lines: 50 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1781 Sender: owner-hackers@freebsd.org Precedence: bulk In message <199510240419.WAA24802@rocky.sri.MT.net> Nate Williams writes: >> >Well, simple example: >> >> > setuid_shared_binary > /tmp/file >> > ... (f.e. few static commands) >> > setuid_static_binary < /tmp/file # OOPS! >> > (umask is restrictive, of course) >How will this example fail if you set LD_NOSTD_PATH? It produce empty /tmp/file instead of valid data (first binary drops core at startup). Safely LD_NOSTD_PATH itself is not fully implemented in FreeBSD. >> When LD_NOSTD_PATH is set (when it will works, of course), >> first binary fails leaving an empty file and second binary >> got empty input when it isn't suppose it. >And the problem is? Second binary can treat empty data in unpredictable way. >> I assume script was unbreakable, of course, i.e. all signals >> was disabled. Now it becomes breakable. >Why is the script breakable? I mean that script/program writers allow user only _run_ programs, not stop or fail them. >> Basically it means that intruder gains ability to selectively >> control execution flow. >Sigh, I think there are much bigger holes in the system that folks will >have problems with if you attempt to use 'secure' shell scripts. I agree. But disabling even some holes reduces probability of secure violation. As I already mention, it isn't stuck on "shell scripts" only, entering the same command by hand give the same results. Imagine some database manipulations/requests handling with requestor programs started by hand. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849