[uClibc] RE: [uClibc-cvs] svn commit: trunk/uClibc/ldso/ldso:armcris i386 m68k mips powerpc sh sh64 etc...

Rob Landley rob at landley.net
Tue Mar 22 08:05:35 UTC 2005


On Sunday 20 March 2005 06:47 pm, Joakim Tjernlund wrote:
> > Pretty much.  It's just a new potential security hole (for uClibc,
> > glibc's had it for a long time) that will be in the next release that
> > wasn't in the last release.  I'm not saying we shouldn't have it, just
> > that we shouldn't spring it on users without warning.
> >
> > > for the sake of the security minded, we could just default it to off
> > > -mike
> >
> > Yes, and comment about the security implications in the help would be
> > very nice too.  "This feature can be used to bypass the "noexec" mount
> > flag, so secure systems will disable it (or remove the executable bit
> > from the ld-uClibc binary)."
>
> I don't think this has any real impact on security. There is nothing that
> prevents somebody to write their own ldso, or copy the existing ldso, and
> modify it or setting +x on the copied ldso.

Yes it does, and yes there is.

Suppose I boot from a read-only mount, with ll the writeable space on the 
system mounted noexec.  When they write their own "ldso" into writeable 
space, or copy the existing ldso to writeable space, that writeable space is 
mounted noexec so their new ldso is useless.

The above is rendered useless by the ability to run the existing ldso (off the 
executable, but read-only mount) so that they can run any arbitrary binaries 
they upload, even out of a noexec mount.

See?

Rob



More information about the uClibc mailing list