Proposing to host system-auth-agent in fdo

Alexander Larsson alexl at redhat.com
Mon Oct 25 10:12:18 EEST 2004 

On Sun, 2004-10-24 at 17:33 +0200, Carlos Garnacho wrote:
> On Mon, 2004-10-18 at 09:06 +0200, Alexander Larsson wrote:
> > On Sat, 2004-10-16 at 20:48 +0200, Carlos Garnacho wrote:
> > 
> > > Ok, the program that uses the API could still be affected by LD_PRELOAD,
> > > but let's suppose the next scenario:
> > > 
> > > Joe tries to do weird stuff, writes a .so file that replaces getuid()
> > > calls to impersonate Frank and tries to run "rm -rf /", runs
> > > control-center with LD_PRELOAD
> > > 
> > > 1) system-auth-manager will still know which is the calling user, as it
> > > isn't affected by LD_PRELOAD
> > > 
> > > 2) system-auth-manager will check that user Joe is allowed to run the
> > > "rm" command, if he isn't, the root password will be requested, and the
> > > whole LD_PRELOAD won't be effective at all. 
> > 
> > So, you're agreeing that the binary-name check doesn't help much? (Since
> > you brought up the uid check instead.)
> 
> I've just uploaded the 0.0.2 version [1] which fixes this problem by
> linking statically the library by default (adding ~50KB to the binary
> size), one can still LD_PRELOAD to override read() and write() calls,
> but that problem is intrinsic to any graphical auth application.

I'm not sure how this helps anything? Its very easy to write a shared
library, that when LD_PRELOADed into an app runs before main() of the
app is even called (using constructors) and takes total control.
Basically you can write whatever application you want, doing whatever
you want. But instead of running it as "hostile-binary" you run it so
that it looks like whatever other binary you choose (e.g. /usr/bin/ls).

So, any system that depends on what executable a process was started as
is inefficient (at least if thats the only measure).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl at redhat.com    alla at lysator.liu.se 
He's a one-legged crooked shaman gone bad. She's a cosmopolitan goth socialite 
trying to make a difference in a man's world. They fight crime!

More information about the xdg mailing list