From owner-freebsd-hackers  Mon Jul 26  3:40:36 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from leap.innerx.net (leap.innerx.net [38.179.176.25])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0D2F314A09; Mon, 26 Jul 1999 03:40:33 -0700 (PDT)
	(envelope-from chris@holly.dyndns.org)
Received: from holly.dyndns.org (ip234.houston3.tx.pub-ip.psi.net [38.12.169.234])
	by leap.innerx.net (Postfix) with ESMTP
	id 0FCCD3708F; Mon, 26 Jul 1999 06:39:50 -0400 (EDT)
Received: (from chris@localhost)
	by holly.dyndns.org (8.9.3/8.9.3) id FAA81321;
	Mon, 26 Jul 1999 05:40:38 -0500 (CDT)
	(envelope-from chris)
Date: Mon, 26 Jul 1999 05:40:37 -0500
From: Chris Costello <chris@calldei.com>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: jkoshy@FreeBSD.ORG, hackers@FreeBSD.ORG, sef@FreeBSD.ORG
Subject: Re: yet more ways to attack executing binaries (was Re: deny ktrace without read permissions? )
Message-ID: <19990726054037.D79022@holly.dyndns.org>
Reply-To: chris@calldei.com
References: <199907260544.WAA13646@freefall.freebsd.org> <Pine.BSF.3.96.990726062851.9903C-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/0.96.3i
In-Reply-To: <Pine.BSF.3.96.990726062851.9903C-100000@fledge.watson.org>; from Robert Watson on Mon, Jul 26, 1999 at 06:31:14AM -0400
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Jul 26, 1999, Robert Watson wrote:
> 
> Another cool attack on this mechanism is if the binary uses shared
> libraries: modify LD_LIBRARY_PATH so that its favorite shared library is
> your own version of the library, that proceeds to dump the entire
> application to disk when executed.
> 
> The challenge of adding additional sandbox/restrictions outside of the
> traditional uid boundaries in UNIX is challenging.  The number of ways to
> influence a programs execution is quite sizable...

   Perhaps an option when compiling the linker code to select
whether to avoid or ignore LD_LIBRARY_PATH if a shared library
it's looking for is in the default path.  Another problem I've
heard of in another OS is that if a suid root binary is
dynamically linked, you could set LD_LIBRARY_PATH and make your
own little libc which would, say, exec /bin/sh on something like
printf.  Options for both of those (or defaults) might be
something to look into.  Or is that second one fixed in FreeBSD?

-- 
|Chris Costello <chris@calldei.com>
|[Unix] is not necessarily evil, like OS/2.  - Peter Norton
`----------------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message