From owner-freebsd-current Sun Nov 3 11:11:32 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC69037B401 for ; Sun, 3 Nov 2002 11:11:30 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C01143E6E for ; Sun, 3 Nov 2002 11:11:29 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id gA3J5jOo063491; Sun, 3 Nov 2002 14:05:45 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 3 Nov 2002 14:05:44 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Miguel Mendez Cc: kientzle@acm.org, morganw@chemikals.org, current@FreeBSD.ORG Subject: Re: libc size In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 3 Nov 2002, Robert Watson wrote: > On Sun, 3 Nov 2002, Miguel Mendez wrote: > > > > 2) Security. Can LD_LIBRARY_PATH (or other mechanisms) > > > be used to deliberately subvert any of these programs? > > > (especially the handful of suid/sgid programs here) > > .. > > > > I can't come up right now with an idea of how exploiting LD_LIBRARY_PATH > > could be useful with any of these, but the possibility exists. OTOH, the > > recently added priviledge elevation feature should make it possible to > > have *no* setuid programs on a system, and have the kernel elevate > > priviledges for certain syscalls, based on the policy created by > > systrace. > > LD_LIBRARY_PATH is disabled for setuid binaries -- the kernel sets the > P_ISSETUGID flag, which is exported to userspace by issetugid(), which is > in turn checked by the rtld, which will refuse to observe that > environmental variable (and a number of others) as a result. We have > plenty of dynamically linked setuid binaires in the system already, and > it's not a problem. Due to sucky latency, I didn't realize y fingers had typed the constant there incorrectly, that should read P_SUGID. That same protection also prevents debugging of processes following privilege downgrade, amongst other things. On the systrace issue -- I have lasting concerns about the race conditions present in fine-grained SMP and threaded systems, such as FreeBSD 5, or present in systems providing Linux clone() emulation. Neils has addressed some but not all of these concerns; until they are fully addressed, the race conditions there will remain a serious problem. When the scheduler activation work hits the main NetBSD tree, I would expect similar problems. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message