[svlug] Trying to "hide" new libraries on Red Hat 6.0 for an experiment

David E. Fox dfox at belvdere.vip.best.com
Mon May 17 21:24:42 PDT 1999

> That's not the issue; it's a huge security hole to allow a user to 
> specify his own shared libraries for use by setuid-root programs... you
> could effectively introduce Trojans this way.

Granted, it's a tradeoff. One should minimize the need for programs
to need to run setuid root in the first place. But you are correct
in saying that arbitrary libraries can be a point of trouble. We
are reasonably assured though that libc-2.0.7 (which you want to run
if only for testing) is fairly safe.

> BTW, although LD_LIBRARY_PATH seems to work fine for specifying the
> shared library path, I never see it documented for Linux -- I tend to

Interesting. It should be documented. I have not heard of (or don't
remember seeing) LD_RUN_PAT and LD_AOUT_LIBRARY_PATH. It may be
that the AOUT part got dropped when Linux went to elf, but I don't
know for sure.

> Alan Denney      yosemite at accesscom.com
David E. Fox                 Tax              Thanks for letting me
dfox at belvdere.vip.best.com   the              change magnetic patterns
root at belvedere.sbay.org      churches         on your hard disk.

echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
see http://www.svlug.org/mdstuff/lists.shtml for posting guidelines.

More information about the svlug mailing list