|
| From: | Peter O'Gorman |
| Subject: | Re: libltdl is inefficient and a security hazard |
| Date: | Thu, 05 Nov 2009 12:55:20 -0600 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4pre) Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Thunderbird/3.0b4 |
On 11/05/2009 12:37 PM, Bob Friesenhahn wrote:
Under OS-X Leopard, I see that a directory under my home directory
("/Users/bfriesen/lib/") gets searched when loading a module. This does
not seem very secure since an ordinary user can write to this directory
and put an exploit there. I am not immediately seeing a reason for this:
% sudo dtruss ./ltdlopentest ./mymodule.la 2>&1 | grep mymodule.a
stat("mymodule.a\0", 0xBFFFD920, 0xBFFFF3D8) = -1 Err#2
stat("/Users/bfriesen/lib/mymodule.a\0", 0xBFFFE140, 0xBFFFF3D8) = -1 Err#2
stat("/usr/local/lib/mymodule.a\0", 0xBFFFE150, 0xBFFFF3D8) = -1 Err#2
stat("/usr/lib/mymodule.a\0", 0xBFFFE150, 0xBFFFF3D8) = -1 Err#2
Do other OS-X Leopard users see something similar?
You'll see the same behavior with:
#include <dlfcn.h>
int main() {
void * a = dlopen("foo",RTLD_GLOBAL);
if (a) dlclose(a);
return 0;
}
Because $HOME/lib is in the default dynamic linker search path (see
dyld(1)). Using dlopen() like this is not a good idea for a secure
program, best to use an absolute path to avoid searching :)
Peter -- Peter O'Gorman http://pogma.com
| [Prev in Thread] | Current Thread | [Next in Thread] |