LD_LIBRARY_PATH and setuid-root programs

LD_LIBRARY_PATH and setuid-root programs

Post by Chris Ranki » Tue, 20 Oct 1998 04:00:00



Hello all,

I  have just spent a very frustrating evening trying to set the
LD_LIBRARY_PATH variable for RealPlayer 5.0. I tried initialising it in
/etc/profile but it never showed up in my environment and I couldn't
understand why not until I inspected the README for ld.so-1.9.9. It
seems that ld.so deletes this variable and all others like it whenever
it loads a setuid-root program. This must be a security issue, but then
why can't ld.so simply *ignore* LD_LIBRARY_PATH instead of deleting it,
and therefore give the program a change to drop its root privileges?

The root (no pun intended) of my problem here is that both xterm and su
are setuid-root programs.

Cheers,
Chris.

 
 
 

LD_LIBRARY_PATH and setuid-root programs

Post by Miquel van Smoorenbu » Tue, 20 Oct 1998 04:00:00




Quote:>Hello all,

>I  have just spent a very frustrating evening trying to set the
>LD_LIBRARY_PATH variable for RealPlayer 5.0. I tried initialising it in
>/etc/profile but it never showed up in my environment and I couldn't
>understand why not until I inspected the README for ld.so-1.9.9. It
>seems that ld.so deletes this variable and all others like it whenever
>it loads a setuid-root program.

Correct.

Quote:>This must be a security issue, but then
>why can't ld.so simply *ignore* LD_LIBRARY_PATH instead of deleting it,
>and therefore give the program a change to drop its root privileges?

Because at that time it's too late to load the libraries anyway.
And keeping this variable is a _big_ security hole.

Quote:>The root (no pun intended) of my problem here is that both xterm and su
>are setuid-root programs.

And both xterm and su usually execute shells. Shells which _will_
read /etc/profile.

Mike.
--
  "Did I ever tell you about the illusion of free will?"
    -- Sheriff Lucas Buck, ultimate BOFH.

 
 
 

LD_LIBRARY_PATH and setuid-root programs

Post by Andreas Schwa » Tue, 20 Oct 1998 04:00:00




|> >The root (no pun intended) of my problem here is that both xterm and su
|> >are setuid-root programs.
|>
|> And both xterm and su usually execute shells. Shells which _will_
|> read /etc/profile.

But only if started as login shells (xterm -ls, su -).

--
Andreas Schwab                                      "And now for something


 
 
 

LD_LIBRARY_PATH and setuid-root programs

Post by Stefan Monnie » Tue, 20 Oct 1998 04:00:00



> And both xterm and su usually execute shells. Shells which _will_
> read /etc/profile.

/etc/profile will only be read if the shell is `sh' and if xterm was `xterm
-ls' or if su was `su -'.
RealPlayer simply has to be either compiled with its own rpath (but since nly
the binary is available, it's kind of hard although hacking the ELF file
should be possible, but it seems the binutils don't offer this specific
possibility.  I tried to do an `ld -o rvplayer -rpath /foo/lib rvplayer'
and it kind of works except that the rpath is *not* encoded in :-( ).
So I said either use rpath or have rvplayer be a script that sets
LD_LIBRARY_PATH and then runs the actual binary.

        Stefan

 
 
 

LD_LIBRARY_PATH and setuid-root programs

Post by Marc Slemk » Tue, 20 Oct 1998 04:00:00



Quote:>>This must be a security issue, but then
>>why can't ld.so simply *ignore* LD_LIBRARY_PATH instead of deleting it,
>>and therefore give the program a change to drop its root privileges?
>Because at that time it's too late to load the libraries anyway.
>And keeping this variable is a _big_ security hole.

It is too late for that process, but it isn't too late for anything
that it may run.  Most other OSes just ignore it for that process
but do pass it through.  Any setuid program that runs child processes
without being sure they have a proper environment is broken anyway
so this really doesn't add security.
 
 
 

LD_LIBRARY_PATH and setuid-root programs

Post by James Youngm » Tue, 20 Oct 1998 04:00:00





> >Hello all,

> >I  have just spent a very frustrating evening trying to set the
> >LD_LIBRARY_PATH variable for RealPlayer 5.0. I tried initialising it in
> >/etc/profile but it never showed up in my environment and I couldn't
> >understand why not until I inspected the README for ld.so-1.9.9. It
> >seems that ld.so deletes this variable and all others like it whenever
> >it loads a setuid-root program.

> Correct.

> >This must be a security issue, but then
> >why can't ld.so simply *ignore* LD_LIBRARY_PATH instead of deleting it,
> >and therefore give the program a change to drop its root privileges?

> Because at that time it's too late to load the libraries anyway.
> And keeping this variable is a _big_ security hole.

In many cases /etc/ld.so.preload is a more secure alternative.
--

 
 
 

1. LD_LIBRARY_PATH and setuid (was: strange: LD_LIBRARY_PATH disappears)

Not only *do* reasoned persons disagree, but as I seem to recall these
reasoned people put their reasoned argument in the release notes of
ld.so.

In summary: Most a setuid programs are not explicitly
"LD_LIBRARY_PATH" aware - afterall many are ported from systems where
dynamic library handling is different.  If such a program changes real
UID and then exec()s another program which is not setuid then this
second program could now be operating with root (or other priviledged
UID) priviledges and a user supplied libc.  This would consititute a
security hole you could drive a truck through.  (I'm sure there are
plenty of people out there with trucks ready and waiting).

The solution to this would be simple.  ld.so should not completely
remove "LD_LIBRARY_PATH" from the environment of setuid binaries but
rather rename it to another symbol name.  LD_LIBRARY_PATH aware setuid
programs could then re-instate the LD_LIBRARY_PATH for child processes
iff it was safe to do so.

comp.os.linux.development.system added to newsgroups line as it is now
probably the most relevant newsgroup to this discussion.

--

 .  _\\__[oo       from       | Phones: +44 121 471 3789 (home)

.  l___\\    /~~) /~~[  /   [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
 # ll  l\\  ~~~~ ~   ~ ~    ~ | http://wcl-l.bham.ac.uk/~bam/

2. Xfree86

3. setuid-root programs and pipes to other processes

4. aix to unix data migration

5. Need help with setuid() problems on 386/ix with setuid root program.

6. How to run chroot environment on Solaris 2.5.1?

7. Can a 'setuid root' application inherit LD_LIBRARY_PATH ?

8. Netscape-related General Protection error

9. LD_LIBRARY_PATH for setuid root executables

10. Security holes in VGA setuid-root utils

11. setuid-root and rsh?

12. setuid-root ? basic questions

13. Core dump and setuid-root