smbsh issues w/ samba-2.0.7

Steve Langasek vorlon at netexpress.net
Fri Nov 3 15:29:52 GMT 2000


On Fri, 3 Nov 2000, David Collier-Brown wrote:

> "Jason Haar ;" wrote:
> > Yeah - but weren't the glibc features removed, removed due to security
> > problems? If so, should smbsh use such calls anyway?

> 	They broke LD_PRELOAD, but not LD_LIBRARY_PATH,
> 	so whatever security problems there were still
> 	exist.  All LD_PRELOAD does is provide a "list 
> 	of shared objects that  are to be interpreted 
> 	by the runtime linker. The specified shared 
> 	objects are linked after the  program is
> 	executed  but before any other shared objects
> 	that the program references". (Solaris man page)

But if a setuid program could be invoked with an insecure library listed in
LD_PRELOAD, that would also be a security problem.

Not to say that I agree with the glibc developers.  If they aren't confident
in their own abilities to secure glibc without crippling the library's
functionality, then maybe they should get some outside help to do a security
audit.  I /liked/ having a userspace vfs for tarfiles. :)

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list