[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
From: Robert Bihlmeyer <robbe () ORCUS ! PRIV ! AT>
Date: 2000-09-28 15:58:27
[Download RAW message or body]
"Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM> writes:
> On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:
> > Hi,
> > ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> > when running suid. If program calls setuid(0) and then fork(), child
> > process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> > overwrites any file in system.
>
> When I run the suid program, LD_DEBUG still works (odd, but true), but
> LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal).
The problem is not the suid program, but another program exec'd by the
suid program with uid==euid. In this case the glibc security checks
are off and the inherited LD_DEBUG_OUTPUT is again used.
--
Robbe
["signature.ng" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic