You are right..I want to check the LD_. IF some one use LD_PRELOAD to load a program with privilege, the code can get the same privilege, so I want to check the LD_ here. Thanks for you discussion. So you agree adding a hook for this checking envp? Thanks, Huagang On Thu, 7 Feb 2002 Valdis.Kletnieksat_private wrote: > On Wed, 06 Feb 2002 18:38:15 PST, Huagang Xie <xieat_private> said: > > What I want is to check the "envp" ( the envp passed to the > > sys_execve()).. current hook in do_execve() do not give me this envp, > > (Hmm.. checking caffeine levels first.. ;) > > I'm assuming that the goal here is to scan the environment being > passed, and do something if you find something odd (for instance, > LD_PRELOAD being set for a set[ug]id binary)? > > If so, are there any environment variables that a security module should > be scanning for, rather than the application handling it itself? Yes, > I know there *was* an LD_PRELOAD issue - but that got fixed where it should > be fixed. And in the general case, pre-filtering for sanity is probably > a lost cause - I've seen programs borked because one of the LC_* locale > environments was motified. On the other hand, I've personally used > (admittedly ugly) code like 'TZ=EST29EDT date +%m%d' to get yesterday's > date.... > > Now, I *could* see the utility of using this as a "filter for a recently > discovered envp[] based exploit until a proper patch is available", but are > there other uses forseen? I'm not saying it's a bad idea, I'm trying to > make sure I understand what Huagang sees it as doing.... > > -- LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 09:56:21 PST