misc/41179: LD_LIBRARY_PATH security checks

Ceri Davies ceri at FreeBSD.org
Mon Jun 2 16:10:13 PDT 2003 

The following reply was made to PR misc/41179; it has been noted by GNATS.

From: Ceri Davies <ceri at FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Cc:  
Subject: Re: misc/41179: LD_LIBRARY_PATH security checks
Date: Tue, 3 Jun 2003 00:04:31 +0100

 Adding to audit trail, from misfiled PR misc/52872:
 
 Date: Mon, 2 Jun 2003 10:13:44 -0700
 From: David Schultz <das at FreeBSD.org>
 Message-Id: <20030602171344.GA2249 at HAL9000.homeunix.com>
 References: <200207302036.g6UKamu9051791 at www.freebsd.org> <20030601181850.GA946 at HAL9000.homeunix.com> <20030602161606.GA26694 at nerds.org.uk>
 
  On Mon, Jun 02, 2003, Lee Brotherston wrote:
  > > If you su to root from the account of an untrusted user, you're
  > > asking for trouble anyway.  There are many documented cases of
  > > people breaking root this way, and you don't even need to fiddle
  > > with LD_LIBRARY_PATH.  The untrusted user just sets his PATH to
  > > include a fake version of su(1) that records root's password,
  > > prints ``Sorry'', and spawns the real su(1).  The correct thing to
  > > do is to use su(1) only from trusted accounts.
  > 
  > True, it was this sort of thinking that made me ponder this in the
  > first place.  My thinking was that although this can be achieved as
  > described, LD_LIBRARY_PATH is less checked than PATH and so is a little
  > stealthier, maybe I'm wrong.
  > 
  > I suspect that not implementing a security feature because there's
  > already a similar, easier way to compromise the machine isn't the best
  > reason not to do it ;)
  
  The trojan su trick can be done quite stealthily.  Many users
  already have $HOME/bin in their path, so all they need to do is
  make a $HOME/bin/su that records passwords.  An even stealthier
  tactic is to trojan the shell.  The bottom line is that if a
  user's account is compromised and someone su's to root from that
  account, the root account can be easily compromised.  In fact,
  even if your LD_LIBRARY_PATH check were implemented, an attacker
  could easily construct a trojanned binary that skipped the check.
  
  So I'm not convinced that preventing one of many avenues for such
  an attack is worthwhile.  On the other hand, you're more than
  welcome to submit patches, and others may agree with you on this
  matter.

More information about the freebsd-bugs mailing list