[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libltdl is inefficient and a security hazard

From: Peter O'Gorman
Subject: Re: libltdl is inefficient and a security hazard
Date: Thu, 05 Nov 2009 12:55:20 -0600
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Thunderbird/3.0b4

On 11/05/2009 12:37 PM, Bob Friesenhahn wrote:
Under OS-X Leopard, I see that a directory under my home directory
("/Users/bfriesen/lib/") gets searched when loading a module. This does
not seem very secure since an ordinary user can write to this directory
and put an exploit there. I am not immediately seeing a reason for this:

% sudo dtruss ./ltdlopentest ./mymodule.la 2>&1 | grep mymodule.a
stat("mymodule.a\0", 0xBFFFD920, 0xBFFFF3D8) = -1 Err#2
stat("/Users/bfriesen/lib/mymodule.a\0", 0xBFFFE140, 0xBFFFF3D8) = -1 Err#2
stat("/usr/local/lib/mymodule.a\0", 0xBFFFE150, 0xBFFFF3D8) = -1 Err#2
stat("/usr/lib/mymodule.a\0", 0xBFFFE150, 0xBFFFF3D8) = -1 Err#2

Do other OS-X Leopard users see something similar?

You'll see the same behavior with:

#include <dlfcn.h>

int main() {
   void * a = dlopen("foo",RTLD_GLOBAL);
   if (a) dlclose(a);
   return 0;

Because $HOME/lib is in the default dynamic linker search path (see dyld(1)). Using dlopen() like this is not a good idea for a secure program, best to use an absolute path to avoid searching :)

Peter O'Gorman

reply via email to

[Prev in Thread] Current Thread [Next in Thread]