There is been some confusion over the whole LD_PRELOAD thread. Hopefully this will clear things up. The are two dynamic linkers used by the Linux community, the old ld (ld-linux.so.1) maintained by David Engle <davidat_private> and the newer ld part of the GNU libc (aka glibc aka libc6). ld-linux used to not ignore LD_PRELOAD and LD_LIBRARY_PATH for setuid/gid programs. This changed in version 1.6.7 and was further refined in 1.7.6 and 1.7.11. That version changed ld-linux.so to delete all variations of LD_PRELOAD and LD_LIBRARY_PATH for set[ug]id programs. This changed in version 1.9.0. That version changed ld-linux.so to load the libraries listed in LD_PRELOAD for setuid/gid programs as long as they could be loaded securely. "Securely" means that the libraries in LD_PRELOAD must not contain '/' in them and therefore will be loaded from the configured library directories (/lib, /usr/lib, etc) and not from a user supplied one. The GNU dynamic linker in a similar move ignored LD_PRELOAD for setuid/guid binaries. Ulrich Drepper changed it to allow loading "securely" libraries from LD_PRELOAD for setuid/gid programs on Jan 20, 1997 (version???). Solaris 2 has the same behavior of loading "securely" libraries listed on LD_PRELOAD for setuid/gid binaries. I would expect many other operating systems to do the same. This system is vulnerable to an attacker preloading an old library with known vulnerabilities that has not been deleted from the library directory while running a setuid/gid program. The correct solution is to ignore LD_PRELOAD for setuid/gid program and use /etc/ld.so.preload for global preload libraries. ld.so.preload was introduced in version 1.8.0 of ld-linux and is part of almost every other ld. Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:21 PDT