bug-glibc
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks


From: Ulrich Drepper
Subject: Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
Date: 25 Sep 2000 22:41:24 -0700
User-agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Capitol Reef)

Elias Levy <address@hidden> writes:

>    ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> when running suid. If program calls setuid(0) and then fork(), child
> process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> overwrites any file in system.

LD_DEBUG_OUTPUT is unset, LD_DEBUG does not have to be.  This change
went in on 1999-07-25.  Also, a simple fork() doesn't do anything.
You have to have an exec().

I can add O_NOFOLLOW to the open of the file (this wasn't available at
the time I wrote that code) but it's only protecting one from oneself.

-- 
---------------.                          ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------



reply via email to

[Prev in Thread] Current Thread [Next in Thread]