[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
From:       Robert Bihlmeyer <robbe () ORCUS ! PRIV ! AT>
Date:       2000-09-28 15:58:27
[Download RAW message or body]


"Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM> writes:

> On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:
> > Hi,
> >    ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> > when running suid. If program calls setuid(0) and then fork(), child
> > process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> > overwrites any file in system.
>
> When I run the suid program, LD_DEBUG still works (odd, but true), but
> LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal).

The problem is not the suid program, but another program exec'd by the
suid program with uid==euid. In this case the glibc security checks
are off and the inherited LD_DEBUG_OUTPUT is again used.

--
Robbe

["signature.ng" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]