misc/41179: LD_LIBRARY_PATH security checks
Ceri Davies
ceri at FreeBSD.org
Mon Jun 2 16:10:13 PDT 2003
The following reply was made to PR misc/41179; it has been noted by GNATS.
From: Ceri Davies <ceri at FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Cc:
Subject: Re: misc/41179: LD_LIBRARY_PATH security checks
Date: Tue, 3 Jun 2003 00:04:31 +0100
Adding to audit trail, from misfiled PR misc/52872:
Date: Mon, 2 Jun 2003 10:13:44 -0700
From: David Schultz <das at FreeBSD.org>
Message-Id: <20030602171344.GA2249 at HAL9000.homeunix.com>
References: <200207302036.g6UKamu9051791 at www.freebsd.org> <20030601181850.GA946 at HAL9000.homeunix.com> <20030602161606.GA26694 at nerds.org.uk>
On Mon, Jun 02, 2003, Lee Brotherston wrote:
> > If you su to root from the account of an untrusted user, you're
> > asking for trouble anyway. There are many documented cases of
> > people breaking root this way, and you don't even need to fiddle
> > with LD_LIBRARY_PATH. The untrusted user just sets his PATH to
> > include a fake version of su(1) that records root's password,
> > prints ``Sorry'', and spawns the real su(1). The correct thing to
> > do is to use su(1) only from trusted accounts.
>
> True, it was this sort of thinking that made me ponder this in the
> first place. My thinking was that although this can be achieved as
> described, LD_LIBRARY_PATH is less checked than PATH and so is a little
> stealthier, maybe I'm wrong.
>
> I suspect that not implementing a security feature because there's
> already a similar, easier way to compromise the machine isn't the best
> reason not to do it ;)
The trojan su trick can be done quite stealthily. Many users
already have $HOME/bin in their path, so all they need to do is
make a $HOME/bin/su that records passwords. An even stealthier
tactic is to trojan the shell. The bottom line is that if a
user's account is compromised and someone su's to root from that
account, the root account can be easily compromised. In fact,
even if your LD_LIBRARY_PATH check were implemented, an attacker
could easily construct a trojanned binary that skipped the check.
So I'm not convinced that preventing one of many avenues for such
an attack is worthwhile. On the other hand, you're more than
welcome to submit patches, and others may agree with you on this
matter.
More information about the freebsd-bugs
mailing list