Subject: Re: Dynalinks in 1.1
To: None <current-users@NetBSD.ORG>
From: Erik M. Theisen <firstname.lastname@example.org>
Date: 11/07/1995 23:33:00
>How would you propose to deal with the security implications of
>allowing dynamic libraries to be found anywhere the user says?
>Is it sufficient to disable search for suid executables?
>Seems safer (though maybe paranoid) to never search.
>"Gee, that program runs as root. If I can just create my trojan
>libc.so.xxx in one of the first places it looks, then I'm in!"
The current behavior of the loader disables the searching of LD_LIBRARY_PATH
for programs that are suid. This coupled with ldconfig restricting
mods of the hints 'bucket' to the root user helps prevent games like
you described. If the root user only adds 'trusted' dynalink directories
to the bucket, all should be well. If root blindly adds dirs, he
deserves to get burnt!:)
At least one other OS I know of functions by completly disallowing the
use of dynalinks in a suid program. This is probably taking it one step
too far, but who knows what some crazy cracker could dream up. I would
settle for this behavior if it would allow me to have my dlopen() function
NORMALLY! Although, I doubt that security is the reason its broken!
Sorry bout the mixup with dlerror(). Yes, Yes, Yes, it is implemented, Yes!
I guess it got repaired recently, seems to work great except for successful
returns, "Undefined error: 0" yuk!:) That's due to that damn strerror(),