This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]


On Tue, Sep 05, 2000 at 09:41:00AM -0700, Ulrich Drepper wrote:
> Ben Collins <bcollins@debian.org> writes:
> 
> > Then /tmp and /var/tmp too...I guess in that situation, ld.so would be an
> > open hole.
> 
> Have you ever tried to executre a +s binary with ld.so directly?  YOu
> can, yes, but the +s has no effect.  How could it?
> 

Thats true, the +s bit (both suid and sgid) has no effect, once ld.so is not
suid.
But that still does not invalidate the point. ld.so is executing files it should
not. Once it does not exec() it directly, but aparently read it to memory,
and executes it from there, the kernel can do nothing about it. That being the
case, ld.so should test for noexec.

Okey, I know many (most) of the cases, this ld.so executing "feature" is a
noissue. But when a user can only write to /tmp, and /tmp is noexec'd, then
this does become an issue, as I'm sure you agree, even if the program in question
does nothing more then send a userlist (taken from /etc/passwd) to the attacker
mailbox. Or send a very big spam, which coming from localhost, will not be
blocked. Possible uses of this are various, and only depends on the attacker
imagination.

[]s

-- 
 /*        Rodrigo Barbosa -  A.K.A. morcego       */
 /* rodrigob@conectiva.com.br - Conectiva R&D Team */
 /*      "Quis custodiet custodias?" - Juvenal     */

PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]