Shared libs-SUID-Security

Robert Connolly robert at linuxfromscratch.org
Thu Feb 3 09:40:00 PST 2005


On February 3, 2005 12:10 pm, Randy McMurchy wrote:
> My apologies if this is off-topic for this list, however, due to the
> question being security related, I thought I could get good answers
> from you security gurus.
>
> Could you review the question posted at:
> http://linuxfromscratch.org/pipermail/blfs-dev/2005-February/009083.html
> and perhaps provide an answer for me?
>
> I'm somewhat stuck trying to update a package, and would really like
> to know if I'm making a mistake by building a shared library.

One of the major problems with using shared libraries is the LD_PRELOAD 
variable. Glibc and uClibc both do credential checks, and will disallow stuff 
like this when a program's UID and EUID are different, which is what happens 
when running suid programs. David Wheeler has written about this in the 
secure programing howto. See:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/dlls.html

There was an exploit for sshd a few years ago where the user could set the 
environment (and LD_PRELOAD) before logging in. This is why 
PermitUserEnvironment exists in sshd_config, and is no by default.

Ulrich Drepper doesn't like static libs.. " Fixed addresses are the dreams of 
attackers." I agree with him on this. See:
http://people.redhat.com/~drepper/no_static_linking.html

Other than environment variables like ld-preload I can't think of any reason 
dynamic linking is more vulnerable than static, but libc has thought about 
this and made provisions for it. In hlfs, using the pax kernel patch, there 
are far more advantages to dynamic/shared. In your case there may be a small 
increase in the threat level with dynamic linking, which can be easily 
balanced with pax.

robert



More information about the hlfs-dev mailing list