From owner-freebsd-hackers  Mon Jul 26  4:17:24 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 052FF14E35; Mon, 26 Jul 1999 04:17:23 -0700 (PDT)
	(envelope-from jkoshy@FreeBSD.org)
Received: (from jkoshy@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id EAA43920;
	Mon, 26 Jul 1999 04:16:28 -0700 (PDT)
	(envelope-from jkoshy@FreeBSD.org)
Date: Mon, 26 Jul 1999 04:16:28 -0700 (PDT)
From: <jkoshy@FreeBSD.org>
Message-Id: <199907261116.EAA43920@freefall.freebsd.org>
X-Mailer: exmh version 2.0.2 2/24/98
To: chris@calldei.com
Cc: hackers@freebsd.org
Subject: Re: yet more ways to attack executing binaries (was Re: deny ktrace without read permissions? ) 
In-Reply-To: Your message of "Mon, 26 Jul 1999 05:40:37 EST."
             <19990726054037.D79022@holly.dyndns.org> 
Mime-Version: 1.0
Content-Type: text/plain
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



c> heard of in another OS is that if a suid root binary is
c> dynamically linked, you could set LD_LIBRARY_PATH and make your
c> own little libc which would, say, exec /bin/sh on something like
c> printf.  Options for both of those (or defaults) might be
c> something to look into.  Or is that second one fixed in FreeBSD?

LD_LIBRARY_PATH, LD_PRELOAD and LD_DEBUG are ignored for setuid executables
in FreeBSD.

Koshy
<jkoshy@freebsd.org>








To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message