$ORIGIN expansion in SUID/SGID applications

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

$ORIGIN expansion in SUID/SGID applications

Tavis Ormandy
Hello, I've noticed that $ORIGIN is expanded in RPATH entries for
SGID/SUID binaries, on the condition that it is alone (_dl_dst_count,

From http://tinyurl.com/yj7lpr "For security, the dynamic linker does
not allow use of $ORIGIN substitution sequences for set-user and
set-group ID programs.". Is there any reason why $ORIGIN is permitted on
it's own? Of course, this would be a very bad idea as creating a link to
a suid program would allow a user to manipulate the value of $ORIGIN.

I was planning on submitting a patch that disables this expansion in
secure mode, but noticed that Ulrich had already looked at this code in
1999 and made this exception.

Thanks, Tavis.

[hidden email] | finger me for my pgp key.

attachment0 (246 bytes) Download Attachment