This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
On Tue, Sep 05, 2000 at 10:39:15AM -0700, Ulrich Drepper wrote:
> "Rodrigo Barbosa (aka morcego)" <rodrigob@conectiva.com.br> writes:
>
> > Okey, I know many (most) of the cases, this ld.so executing
> > "feature" is a noissue. But when a user can only write to /tmp, and
> > /tmp is noexec'd, then this does become an issue, as I'm sure you
> > agree, even if the program in question does nothing more then send a
> > userlist (taken from /etc/passwd) to the attacker mailbox.
>
> I don't agree at all with your points. Changing ld.so does not help
> at all since somebody could just take out the code and recompile. Not
> even that is necessary: a simple ELF loader is trivial, you can have
> an innocent looking program lying around.
But that suppose the user have exec permition on a filesystem where he also
has write permission. I agree in that case this is noissue.
But if the user only have access to /tmp, which is noexec'd, the only
why he can execute something he put there is using a program previous installed,
in this case ld.so. In this scenary(scenario?) is the one , and only one, where I
see ld.so as a problem.
> There will be no check for the +x bits since this is pointless and
> only obscuring the problem. Besides, it does not open any security
> holes.
Hum ? +x bits ? Now that you say that, I did noticed it too. ld.so executes
even if the file does not have the +x bit set. Hummm, very interesting.
Anyway, falls on the same code related to the noexec issue in question.
[]s
PS.: Pardon me for my (lack of) english skills
--
/* Rodrigo Barbosa - A.K.A. morcego */
/* rodrigob@conectiva.com.br - Conectiva R&D Team */
/* "Quis custodiet custodias?" - Juvenal */
PGP signature