Subject: re: RelCache (aka ELF prebinding) news
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: matthew green <mrg@eterna.com.au>
List: tech-userlevel
Date: 12/04/2002 14:23:59
Attacker now waits. Eventually, someone runs something that uses the
real libfoo.so. The dynamic linker finds the bogus cache file, sees it
has the right checksum-- and uses its symbol values. Oops.
updating the cache should be a root-only thing. anything leads to
maddness as you say. also, it seems that set-id programs should
probably _not_ use prebinding (hmm.. need to think more on that one).
.mrg.