Subject: bin/2682: setuid dynamic objects ignore compiled-in library paths
To: None <gnats-bugs@NetBSD.ORG>
From: Michael Graff <>
List: netbsd-bugs
Date: 08/09/1996 20:24:32
>Number:         2682
>Category:       bin
>Synopsis:       setuid dynamic objects ignore compiled-in library paths
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug  9 20:50:01 1996
>Originator:     Michael Graff
>Organization:  yes, we do know everything
>Release:        08-Aug-1996
System: NetBSD 1.2A NetBSD 1.2A (ZHANEEL) #4: Mon Jul 29 16:51:24 EDT 1996 i386

When a program is compiled and the location of shared libraries are
specified on the link line, if the program is setuid these compiled-in
search paths are excluded from search.

Since the executable has this search path compiled in, it seems to be ok
to allow it to be searched since, if the user can modify this path or the
contents in the directory, the system is already in trouble.

Compile a program which uses a private shared library in /tmp with:

	cc -Wl,R -Wl/tmp foo.c

Make the file setuid some other user, and the library cannot be found.