Ld_preload and ld_audit are processed on setuid binary


X so the process can get at them if it really wants, but code written without thinking about suid conditions wouldn't be tripped up. I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations. That particular exploit mechanism is fairly modern, using relatively recent Linux kernel features, but there are others. If you are serious about security you really need a good IPC on multi-user systems

In his description of the flawOrmandy gives an example of using the libpcprofile. If yes why isn't ping installed like this by default? Posted Nov 4, 0: Or does anyone knowledgeable feel like doing a guest article on the subject?

Not all NSS functionality goes through nscd even when it's enabled. Two glibc vulnerabilities Posted Oct 29, If yes why isn't ping installed like this by default? Posted Oct 28, 8:

Also, am I correct in thinking that if you keep your untrusted-user-writeable directories on different partitions from your setuid executables, you'll thwart this attack? He then removes the directory and its contents, and puts a library that has exploit code in its initialization function in the place of the directory. Otherwise, of course, it would be trivial for anyone to gain their enhanced capabilities Ormandy doesn't really see a problem with that: It is essentially a race condition, but one that can be reliably won by the attacker.

For instance, imagine if ping, instead of being setuid, called into dbus to load a helper daemon, and that helper daemon did all the actions which need root in this example, sending pings. X so the process can get at them if it really wants, but code written without thinking about suid conditions wouldn't be tripped up. Look at David A.

If those libraries are not available as separate files, in the expected location, name resolution fails. Ld_preload and ld_audit are processed on setuid binary, raw sockets aren't really something you want to give to an untrusted user to play with, either It might not have helped here, but many exploits would surely be prevented by using some sort of suid loader, something like sudo, to load binaries which have to run setuid root, rather than marking the binaries themselves. Unless the execing process is already running as the specified user.

The details will vary depending on the distribution, but most will be vulnerable to the flaw. If yes why isn't ping installed like this by default? X so the process can get at them if it really wants, but code written without thinking about suid conditions wouldn't be tripped up. If you appreciate this content and would like to see more of ld_preload and ld_audit are processed on setuid binary, your subscription will help to ensure that LWN continues to thrive. It seems like a useful facility, but one that is likely not in the toolbox of many Linux developers.

There are various events specified in the rtld-audit man page, including searching for an object, opening an object, binding to a symbol, and so on. Or, alternatively, every environment variable X could be renamed. So, an exploit is done by finding a vulnerable system library it must be on the trusted path that was not written with setuid execution in mind and thus does not have ld_preload and ld_audit are processed on setuid binary bit set in the filesystem. The glibc maintainers are some of the smartest guys in free software, and well known for having a "no hand-holding" stance on various issues, so I suspect they wanted a better argument than this for modifying the behaviour I pointed it out a few years ago, but there was little interest. He then removes the directory and its contents, and puts a library that has exploit code in its initialization function in the place of the directory.