[svlug] Trying to "hide" new libraries on Red Hat 6.0 for an experiment

David E. Fox dfox at belvdere.vip.best.com
Mon May 17 21:24:42 PDT 1999


> That's not the issue; it's a huge security hole to allow a user to 
> specify his own shared libraries for use by setuid-root programs... you
> could effectively introduce Trojans this way.

Granted, it's a tradeoff. One should minimize the need for programs
to need to run setuid root in the first place. But you are correct
in saying that arbitrary libraries can be a point of trouble. We
are reasonably assured though that libc-2.0.7 (which you want to run
if only for testing) is fairly safe.

> BTW, although LD_LIBRARY_PATH seems to work fine for specifying the
> shared library path, I never see it documented for Linux -- I tend to

Interesting. It should be documented. I have not heard of (or don't
remember seeing) LD_RUN_PAT and LD_AOUT_LIBRARY_PATH. It may be
that the AOUT part got dropped when Linux went to elf, but I don't
know for sure.

> Alan Denney      yosemite at accesscom.com
------------------------------------------------------------------------
David E. Fox                 Tax              Thanks for letting me
dfox at belvdere.vip.best.com   the              change magnetic patterns
root at belvedere.sbay.org      churches         on your hard disk.
-----------------------------------------------------------------------

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
see http://www.svlug.org/mdstuff/lists.shtml for posting guidelines.



More information about the svlug mailing list