Subject: Re: non-root user executes root shell?
To: Lubomir Sedlacik <salo@Xtrmntr.org>
From: Ben Collver <collver@peak.org>
List: netbsd-users
Date: 10/03/2004 05:35:05
On Sun, Oct 03, 2004 at 05:19:51AM -0700, Ben Collver wrote:
> 2) /usr/bin/id is dynamic linked to libc, so one could use
> LD_PRELOAD and a libc wrapper to execute arbitrary code. I am not
> certain about this one.
I should have read the manual before writing this one. From
ld.elf_so(1):
SECURITY CONSIDERATIONS
The environment variables LD_LIBRARY_PATH and LD_PRELOAD are not honored
when executing in a set-user-ID or set-group-ID environment. This action
is taken to prevent malicious substitution of shared object dependencies
or interposition of symbols.
Cheers,
Ben