Subject: Re: libraries & security (was Mosaic compile)
To: T. Sean <71410.25@compuserve.com>
From: Bill Studenmund <wrstuden@loki.stanford.edu>
List: port-mac68k
Date: 12/09/1997 15:57:34
> >ld.so.conf tells the system where libraries are, not where header files
> >are. Remove any changes you made to ld.so.conf. (Incidentally, I don't
> >think I've ever had to modify the ld.so.conf file.) To tell the
> >compiler
> >where libraries are (you can add this in the Makefile), add
> >-L/dir/where/special/libs/are to the line where it is looking for the
> >library.
> >
> Well, I had to edit /etc/ld.so.conf to get X to work (as per the FAQ).
> When I added /usr/X11R6/include it was the first entry. I have now added
> /usr/lib, /usr/include, /usr/local/include and /usr/local/lib to
> /etc/ld.so.conf. I know there is a security issue with library files
> (which, even after reading man ld.so.conf I am not completely clear on),
> but other than that, is there another issue? Can it screw something up?
As I understand it, ld.so.conf does need to contain all the library
directories, not just non-standard ones you want to add. It should NOT
contain includes directories, though.
The security issue is that a user can use a non-standard set of libraries.
If these were used by a set-uid program invoked by the user, it'd be
possable for a user to gain access rights of other users. For instance,
you could make a rogue libc which, in addition to being a regular libc,
let you fork a shell script if the program is run as root. So you could
get a root shell when you're not supposed to!
Take care,
Bill