ALT Linux Bugzilla – Full Text Bug Listing
| Summary: | ldd tries to start xterm! | ||
|---|---|---|---|
| Product: | Sisyphus | Reporter: | imz <vanyaz> |
| Component: | glibc-utils | Assignee: | Gleb F-Malinovskiy <glebfm> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | P4 | CC: | glebfm, ldv |
| Version: | unstable | ||
| Hardware: | all | ||
| OS: | Linux | ||
|
Description
imz
2002-04-14 16:36:50 MSD
And if the DISPLAY is accessible for connection, ldd $(which xterm) run as root really starts an xterm and does not print the list of library links. And if the DISPLAY is accessible for connection, ldd $(which xterm) run as root really starts an xterm and does not print the list of library links. glibc dynamic linker doesn\'t allow to trace SUID/SGID applications. glibc dynamic linker doesn\'t allow to trace SUID/SGID applications. Running a file is an unexpected, undesirable and undocumented effect. Should it be considered as a bug? Running a file is an unexpected, undesirable and undocumented effect. Should it be considered as a bug? Nope, this is not a bug - it\'s a glibc dynamic linker security featute. It\'s should be documented somewhere... where? Nope, this is not a bug - it\'s a glibc dynamic linker security featute. It\'s should be documented somewhere... where? I thought this issue over once more, and now I\'d insist that this is not the right way for ldd to behave. It is very dangerous, and merely documenting this will not be enough. IMHO ldd should not start any program if it can\'t trace it, and print out some error message instead.
Consider a program like this:
main() {
execlp(\"/bin/rm\", \"-rf\", \"/\", 0);
}
Its binary (./rmall) is set setUID root (why? it\'s not important).
A user may be clever enough not to run ./rmall, but he may be interested in the output of ldd ./rmall. So he runs
ldd ./rmall
and something awful and completely unexpected happens: ldd runs it, and what is worse, it is run with root\'s permissions. And the user just wanted to know how it is linked, he assumed that ldd is an innocent program for exploring other programs.
I thought this issue over once more, and now I\'d insist that this is not the right way for ldd to behave. It is very dangerous, and merely documenting this will not be enough. IMHO ldd should not start any program if it can\'t trace it, and print out some error message instead.
Consider a program like this:
main() {
execlp(\"/bin/rm\", \"-rf\", \"/\", 0);
}
Its binary (./rmall) is set setUID root (why? it\'s not important).
A user may be clever enough not to run ./rmall, but he may be interested in the output of ldd ./rmall. So he runs
ldd ./rmall
and something awful and completely unexpected happens: ldd runs it, and what is worse, it is run with root\'s permissions. And the user just wanted to know how it is linked, he assumed that ldd is an innocent program for exploring other programs.
small fix to the previous note to be correct:
main() {
execlp(\"/bin/rm\", \"/bin/rm\", \"-rf\", \"/\", 0);
}
small fix to the previous note to be correct:
main() {
execlp(\"/bin/rm\", \"/bin/rm\", \"-rf\", \"/\", 0);
}
I have to agree; ldd should either + trace dynamic linker as expected; or + exit with EPERM. I have an idea how to fix it. I have to agree; ldd should either + trace dynamic linker as expected; or + exit with EPERM. I have an idea how to fix it. Fixed ldd in glibc-utils-2.2.5-alt6 Fixed ldd in glibc-utils-2.2.5-alt6 |
