From owner-freebsd-current  Sun Nov  3 11: 1:44 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB0FC37B401
	for <current@FreeBSD.ORG>; Sun,  3 Nov 2002 11:01:43 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B332743E42
	for <current@FreeBSD.ORG>; Sun,  3 Nov 2002 11:01:42 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.4/8.12.4) with SMTP id gA3J0HOo062829;
	Sun, 3 Nov 2002 14:00:27 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 3 Nov 2002 14:00:16 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Miguel Mendez <flynn@energyhq.homeip.net>
Cc: kientzle@acm.org, morganw@chemikals.org, current@FreeBSD.ORG
Subject: Re: libc size
In-Reply-To: <20021103155858.3be6eda9.flynn@energyhq.homeip.net>
Message-ID: <Pine.NEB.3.96L.1021103135713.62308A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG


On Sun, 3 Nov 2002, Miguel Mendez wrote:

> > 2) Security.  Can LD_LIBRARY_PATH (or other mechanisms)
> >     be used to deliberately subvert any of these programs?
> >     (especially the handful of suid/sgid programs here)
> ..
> 
> I can't come up right now with an idea of how exploiting LD_LIBRARY_PATH
> could be useful with any of these, but the possibility exists. OTOH, the
> recently added priviledge elevation feature should make it possible to
> have *no* setuid programs on a system, and have the kernel elevate
> priviledges for certain syscalls, based on the policy created by
> systrace. 

LD_LIBRARY_PATH is disabled for setuid binaries -- the kernel sets the
P_ISSETUGID flag, which is exported to userspace by issetugid(), which is
in turn checked by the rtld, which will refuse to observe that
environmental variable (and a number of others) as a result.  We have
plenty of dynamically linked setuid binaires in the system already, and
it's not a problem. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message