Date: Mon, 2 Jun 2003 16:10:12 -0700 (PDT) From: Ceri Davies <ceri@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/41179: LD_LIBRARY_PATH security checks Message-ID: <200306022310.h52NACpT036474@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/41179; it has been noted by GNATS. From: Ceri Davies <ceri@FreeBSD.org> To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org> Cc: Subject: Re: misc/41179: LD_LIBRARY_PATH security checks Date: Tue, 3 Jun 2003 00:04:31 +0100 Adding to audit trail, from misfiled PR misc/52872: Date: Mon, 2 Jun 2003 10:13:44 -0700 From: David Schultz <das@FreeBSD.org> Message-Id: <20030602171344.GA2249@HAL9000.homeunix.com> References: <200207302036.g6UKamu9051791@www.freebsd.org> <20030601181850.GA946@HAL9000.homeunix.com> <20030602161606.GA26694@nerds.org.uk> On Mon, Jun 02, 2003, Lee Brotherston wrote: > > If you su to root from the account of an untrusted user, you're > > asking for trouble anyway. There are many documented cases of > > people breaking root this way, and you don't even need to fiddle > > with LD_LIBRARY_PATH. The untrusted user just sets his PATH to > > include a fake version of su(1) that records root's password, > > prints ``Sorry'', and spawns the real su(1). The correct thing to > > do is to use su(1) only from trusted accounts. > > True, it was this sort of thinking that made me ponder this in the > first place. My thinking was that although this can be achieved as > described, LD_LIBRARY_PATH is less checked than PATH and so is a little > stealthier, maybe I'm wrong. > > I suspect that not implementing a security feature because there's > already a similar, easier way to compromise the machine isn't the best > reason not to do it ;) The trojan su trick can be done quite stealthily. Many users already have $HOME/bin in their path, so all they need to do is make a $HOME/bin/su that records passwords. An even stealthier tactic is to trojan the shell. The bottom line is that if a user's account is compromised and someone su's to root from that account, the root account can be easily compromised. In fact, even if your LD_LIBRARY_PATH check were implemented, an attacker could easily construct a trojanned binary that skipped the check. So I'm not convinced that preventing one of many avenues for such an attack is worthwhile. On the other hand, you're more than welcome to submit patches, and others may agree with you on this matter.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306022310.h52NACpT036474>