| |||||||||||||
|
| |||||||||||||
Distribution of security fixesDistribution of security fixesPosted Aug 26, 2004 11:41 UTC (Thu) by rwmj (guest, #5474)Parent article: Distribution of security fixes
Unfortunately the maintainer of glibc isn't very receptive to problems with LD_* environment variables and setuid or other processes.
For example, for the longest time, having an empty path in LD_LIBRARY_PATH means that the current directory is searched for libraries. eg. If LD_LIBRARY_PATH accidentally contains :/usr/local/lib then the current directory is always checked for libraries before any other directory.
This happens because sys admins do things like:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
and put it in the system-wide profile scripts (note what happens if LD_LIBRARY_PATH is empty to begin with). If you have a sysadmin who's made this simple mistake, then it's trivial to take over the system - create a library like libtermcap.so containing trojan code, drop it into /tmp, and just wait. As soon as anyone types 'ls' in /tmp, they're running your code.
There's a simple and obvious fix - ignore empty elements in LD_LIBRARY_PATH. If the sysadmin is stupid enough to want the current directory searched, let them specify a library path of "." explicitly.
The maintainer of glibc does not see this bug as a bug which requires fixing. Instead he would prefer all sysadmins in the world to vet their profile scripts carefully.
Rich.
(Log in to post comments)
Distribution of security fixes Posted Aug 26, 2004 19:16 UTC (Thu) by jreiser (subscriber, #11027) [Link] Other lessons: Syntax with terminators tends to be more secure than syntax with separators, because 1:1 has no boundary case that n:(n-1) has. The shell could offer builtin procedures for appending and pre-pending to separated lists.
Distribution of security fixes Posted Sep 2, 2004 12:47 UTC (Thu) by ingvar (guest, #1530) [Link] It (sort-of) exists in PSIX-compliant shells...
FOO=${FOO+$FOO:}/usr/local/lib # should do the trick
ingvar@gruk$ FOO=${FOO+$FOO:}/usr/local/lib
Distribution of security fixes Posted Aug 27, 2004 14:24 UTC (Fri) by jeremiah (subscriber, #1221) [Link] That's just beautiful man. I'll have to check some of my systems out now, but that's alright. That has to be the slickest flaw I've heared about in quite sometime.
Does anyone know of a place to find a list of features similar to this in type. Ie one's that a sysadmin should logically be able to create without worry, yet are completely henious? I've been doing Linux for 12 years, and have never heard of this, and I wonder where I should go to find more like it, since this is not the type of stuff to show up in most advisories.
FYI lwn staff, I'd pay for gems like this. Ie a long standing list of potential exploits that cannot be fixed by patching.
Distribution of security fixes Posted Aug 27, 2004 14:36 UTC (Fri) by jeremiah (subscriber, #1221) [Link] Just a follow up question, What's a nice tool for checking system security from the inside. Most tools I use either check from the outside (nessus et al) or monitor the state of the system inside (logwatch/tripwire etc.) Bastile will harden the system, but I'd like a report based thing, so that I can choose the vulnerabilites I'd like to keep as well as fix the others in a way that matches our infrastructure.
Distribution of security fixes Posted Aug 27, 2004 22:17 UTC (Fri) by EricBackus (guest, #2816) [Link] Note that there's a similar problem with $PATH. Doing:
export PATH=$PATH:/usr/local/bin
could possibly give you an empty component in PATH, which we all know is a bad thing. Now, an empty PATH variable is probably less common than an empty LD_LIBRARY_PATH, but you never know...
Long ago, I wrong an "add_to_path" shell function, which only adds a path if the path exists and does the right thing if the current path is empty. It's not TOO complicated:
# Add a directory to PATH if it exists and is not already in PATH.
# PATH is $1, Directory is $2. If PATH does not exist, don't prepend
# a ":" since that adds the current directory to it. If optional $3
# is equal to "atstart", add the new component to the start of PATH,
# otherwise add it at end.
function add_to_path
{
if [ -d "$2" ]; then
p=`eval echo \"\\$$1\"`
echo "$p" | grep -- "$2" > /dev/null
if [ "$?" -ne 0 ]; then
if [ -z "$p" ]; then
eval $1=\""$2"\"
else
if [ "$3" = "atstart" ]; then
eval $1=\""$2:\$$1"\"
else
eval $1=\""\$$1:$2"\"
fi
fi
fi
fi
}
With that in place, your shell script can do:
add_to_path PATH /usr/local/bin
add_to_path LD_LIBRARY_PATH /usr/local/lib
add_to_path MANPATH /usr/local/man
And you ensure that things work correctly and efficiently.
Distribution of security fixes Posted Sep 5, 2004 16:22 UTC (Sun) by k8to (subscriber, #15413) [Link] Maybe you really like your script, but it seems problemed to me. It's possible to want a dir to a path which does not currently exist. Also, it will not work on some versions of sh which do not support the 'function keyword'. Pesonally I'd seperate add_to_path from add_to_manpath to produce the simple:
add_to_path() {
if [ "$PATH"x == x ]; then PATH=$1; fi
if [ "$2" == atstart ]; then PATH=$1:$PATH
else; PATH=$PATH:$1; fi
}
But I suppose, each to his own.
Distribution of security fixes Posted Sep 6, 2004 3:10 UTC (Mon) by zone (guest, #3633) [Link] I was about to point out that this is a requirement of SUS, but it turns out even SUSv2 regards this as a legacy feature. From SUSv3:
PATH
|
|
||||||||||||