Date: Sun, 3 Nov 2002 14:05:44 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.ORG> To: Miguel Mendez <flynn@energyhq.homeip.net> Cc: kientzle@acm.org, morganw@chemikals.org, current@FreeBSD.ORG Subject: Re: libc size Message-ID: <Pine.NEB.3.96L.1021103140214.62308B-100000@fledge.watson.org> In-Reply-To: <Pine.NEB.3.96L.1021103135713.62308A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 3 Nov 2002, Robert Watson wrote: > On Sun, 3 Nov 2002, Miguel Mendez wrote: > > > > 2) Security. Can LD_LIBRARY_PATH (or other mechanisms) > > > be used to deliberately subvert any of these programs? > > > (especially the handful of suid/sgid programs here) > > .. > > > > I can't come up right now with an idea of how exploiting LD_LIBRARY_PATH > > could be useful with any of these, but the possibility exists. OTOH, the > > recently added priviledge elevation feature should make it possible to > > have *no* setuid programs on a system, and have the kernel elevate > > priviledges for certain syscalls, based on the policy created by > > systrace. > > LD_LIBRARY_PATH is disabled for setuid binaries -- the kernel sets the > P_ISSETUGID flag, which is exported to userspace by issetugid(), which is > in turn checked by the rtld, which will refuse to observe that > environmental variable (and a number of others) as a result. We have > plenty of dynamically linked setuid binaires in the system already, and > it's not a problem. Due to sucky latency, I didn't realize y fingers had typed the constant there incorrectly, that should read P_SUGID. That same protection also prevents debugging of processes following privilege downgrade, amongst other things. On the systrace issue -- I have lasting concerns about the race conditions present in fine-grained SMP and threaded systems, such as FreeBSD 5, or present in systems providing Linux clone() emulation. Neils has addressed some but not all of these concerns; until they are fully addressed, the race conditions there will remain a serious problem. When the scheduler activation work hits the main NetBSD tree, I would expect similar problems. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021103140214.62308B-100000>