[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: env: can it be used to let only certain variables through (if they'r
|
From: |
Jeffrey Walton |
|
Subject: |
Re: env: can it be used to let only certain variables through (if they're set)? |
|
Date: |
Fri, 21 Jan 2022 22:11:14 -0500 |
On Fri, Jan 21, 2022 at 6:09 PM Dominique Martinet
<asmadeus@codewreck.org> wrote:
> Christoph Anton Mitterer wrote on Fri, Jan 21, 2022 at 04:16:36PM +0100:
> ...
> > Even sounds like something that is rather delicate in terms of
> > security.
> > Consider a script that's started with such file, but the file is not
> > actually existing.
> > An attacker is somehow able to create the file and add things like
> > LD_PRELOAD_LIBRARY to it.
>
> Note if your goal is to protect yourself from LD_PRELOAD there isn't
> much you can do at this level: the preload library just has to hook over
> all kind of exec() functions and they can add themselves back there.
Also see Breaking the links: Exploiting the linker,
https://lwn.net/Articles/419997/.
Jeff