Critical Linux security API is still a kludge (Inquirer)
Posted Oct 23, 2006 15:06 UTC (Mon) by nix
In reply to: Critical Linux security API is still a kludge (Inquirer)
Parent article: Critical Linux security API is still a kludge (Inquirer)
The idea is that it checks *every* access to a given file, so single-process hacks like LD_PRELOAD aren't really good enough (e.g. what if something else needs a preloadable library? What about what it does to prelink?)
Doing it globally with /etc/ld.so.preload is possible, but using this deactivates prelink and thus generally kills performance (there's no point in fixing it, as /etc/ld.so.preload is very much a debugging hack only and *not* meant for production use).
Putting it in the kernel (perhaps in a stacked filesystem a-la unionfs, once that gets into the kernel) is probably a better idea.
to post comments)