From owner-freebsd-bugs@FreeBSD.ORG Mon Jun 2 16:10:13 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70F0337B401 for ; Mon, 2 Jun 2003 16:10:13 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDFAC43FA3 for ; Mon, 2 Jun 2003 16:10:12 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h52NACUp036475 for ; Mon, 2 Jun 2003 16:10:12 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h52NACpT036474; Mon, 2 Jun 2003 16:10:12 -0700 (PDT) Date: Mon, 2 Jun 2003 16:10:12 -0700 (PDT) Message-Id: <200306022310.h52NACpT036474@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ceri Davies Subject: Re: misc/41179: LD_LIBRARY_PATH security checks X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ceri Davies List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 23:10:13 -0000 The following reply was made to PR misc/41179; it has been noted by GNATS. From: Ceri Davies To: FreeBSD Gnats Submit Cc: Subject: Re: misc/41179: LD_LIBRARY_PATH security checks Date: Tue, 3 Jun 2003 00:04:31 +0100 Adding to audit trail, from misfiled PR misc/52872: Date: Mon, 2 Jun 2003 10:13:44 -0700 From: David Schultz Message-Id: <20030602171344.GA2249@HAL9000.homeunix.com> References: <200207302036.g6UKamu9051791@www.freebsd.org> <20030601181850.GA946@HAL9000.homeunix.com> <20030602161606.GA26694@nerds.org.uk> On Mon, Jun 02, 2003, Lee Brotherston wrote: > > If you su to root from the account of an untrusted user, you're > > asking for trouble anyway. There are many documented cases of > > people breaking root this way, and you don't even need to fiddle > > with LD_LIBRARY_PATH. The untrusted user just sets his PATH to > > include a fake version of su(1) that records root's password, > > prints ``Sorry'', and spawns the real su(1). The correct thing to > > do is to use su(1) only from trusted accounts. > > True, it was this sort of thinking that made me ponder this in the > first place. My thinking was that although this can be achieved as > described, LD_LIBRARY_PATH is less checked than PATH and so is a little > stealthier, maybe I'm wrong. > > I suspect that not implementing a security feature because there's > already a similar, easier way to compromise the machine isn't the best > reason not to do it ;) The trojan su trick can be done quite stealthily. Many users already have $HOME/bin in their path, so all they need to do is make a $HOME/bin/su that records passwords. An even stealthier tactic is to trojan the shell. The bottom line is that if a user's account is compromised and someone su's to root from that account, the root account can be easily compromised. In fact, even if your LD_LIBRARY_PATH check were implemented, an attacker could easily construct a trojanned binary that skipped the check. So I'm not convinced that preventing one of many avenues for such an attack is worthwhile. On the other hand, you're more than welcome to submit patches, and others may agree with you on this matter.