This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]


On Tue, Sep 05, 2000 at 10:39:15AM -0700, Ulrich Drepper wrote:
> "Rodrigo Barbosa (aka morcego)" <rodrigob@conectiva.com.br> writes:
> 
> > Okey, I know many (most) of the cases, this ld.so executing
> > "feature" is a noissue. But when a user can only write to /tmp, and
> > /tmp is noexec'd, then this does become an issue, as I'm sure you
> > agree, even if the program in question does nothing more then send a
> > userlist (taken from /etc/passwd) to the attacker mailbox.
> 
> I don't agree at all with your points.  Changing ld.so does not help
> at all since somebody could just take out the code and recompile.  Not
> even that is necessary: a simple ELF loader is trivial, you can have
> an innocent looking program lying around.

But that suppose the user have exec permition on a filesystem where he also
has write permission. I agree in that case this is noissue.

But if the user only have access to /tmp, which is noexec'd, the only
why he can execute something he put there is using a program previous installed,
in this case ld.so. In this scenary(scenario?) is the one , and only one, where I 
see ld.so as a problem.

> There will be no check for the +x bits since this is pointless and
> only obscuring the problem.  Besides, it does not open any security
> holes.

Hum ? +x bits ? Now that you say that, I did noticed it too. ld.so executes 
even if the file does not have the +x bit set. Hummm, very interesting.
Anyway, falls on the same code related to the noexec issue in question.

[]s

PS.: Pardon me for my (lack of) english skills

-- 
 /*        Rodrigo Barbosa -  A.K.A. morcego       */
 /* rodrigob@conectiva.com.br - Conectiva R&D Team */
 /*      "Quis custodiet custodias?" - Juvenal     */

PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]