[yast-devel] LD_PRELOAD doesn't work for processes running as root any more
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by
accident on [opensuse]:
---------- Forwarded Message ----------
Subject: [opensuse] Checkinstall dropped from Opensuse [Was: Compiling the
Suse way]
Date: Friday 06 June 2008 01:31
From: "Carlos E. R."
This method uses configure > make > checkinstall (instead of make install).
Checkinstall has been dropped from openSUSE because it doesn't work anymore. Checkinstall's trick is to load a library via LD_PRELOAD that redirects all functions dealing with files. Now for installing a package you need to be root and for programs running with root privileges the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ dynamic loader ignores LD_PRELOAD as this would otherwise be a huge ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ security problem.
So checkinstall has become useless and was therefore dropped.
-------------------------------------------------------
--
Stefan Hundhammer
On Fri, Jun 06, 2008 at 11:56:45AM +0200, Stefan Hundhammer wrote:
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by accident on [opensuse]:
And it is of course incorrect. $ ./xx $ LD_PRELOAD=/suse/meissner/yy.so ./xx Boo! $ su Passwort: # LD_PRELOAD=/suse/meissner/yy.so ./xx Boo! # Still looking fine. Ciao, Marcus -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Marcus Meissner
On Fri, Jun 06, 2008 at 11:56:45AM +0200, Stefan Hundhammer wrote:
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by accident on [opensuse]:
LD_PRELOAD does not work for setuid applications - and that's the correct behaviour for quite some time...
And it is of course incorrect.
$ ./xx $ LD_PRELOAD=/suse/meissner/yy.so ./xx Boo! $ su Passwort: # LD_PRELOAD=/suse/meissner/yy.so ./xx Boo! #
Still looking fine.
Please make xx setuid root and run again as user, Andreas -- Andreas Jaeger, Director Platform/openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Andreas Jaeger
Marcus Meissner
writes: On Fri, Jun 06, 2008 at 11:56:45AM +0200, Stefan Hundhammer wrote:
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by accident on [opensuse]:
LD_PRELOAD does not work for setuid applications - and that's the correct behaviour for quite some time...
Exact behaviour: /* The LD_PRELOAD environment variable gives list of libraries separated by white space or colons that are loaded before the executable's dependencies and prepended to the global scope list. If the binary is running setuid all elements containing a '/' are ignored since it is insecure. */ The comment is from Jan 1997 and last changed Feb 1998, Andreas -- Andreas Jaeger, Director Platform/openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Am Freitag 06 Juni 2008 schrieb Stefan Hundhammer:
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by accident on [opensuse]:
No idea what they're smoking: http://<factory>/suse/i586/checkinstall-1.6.1-72.i586.rpm Greetings, Stephan -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
* Stephan Kulow
Am Freitag 06 Juni 2008 schrieb Stefan Hundhammer:
JFYI - this might affect us, too, at least for debugging or testing.
If there was an announcement anywhere else, I missed it. I read this just by accident on [opensuse]:
No idea what they're smoking: http://<factory>/suse/i586/checkinstall-1.6.1-72.i586.rpm
Date: Thu, 05 Jun 2008 22:55:27 +0200
From: Philipp Thomas
This method uses configure > make > checkinstall (instead of make > install).
Checkinstall has been dropped from openSUSE because it doesn't work anymore. Checkinstall's trick is to load a library via LD_PRELOAD that redirects all functions dealing with files. Now for installing a package you need to be root and for programs running with root privileges the dynamic loader ignores LD_PRELOAD as this would otherwise be a huge security problem. So checkinstall has become useless and was therefore dropped. Philipp -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
participants (5)
-
Andreas Jaeger
-
Marcus Meissner
-
Patrick Shanahan
-
Stefan Hundhammer
-
Stephan Kulow