Archive for April, 2004

Corporate Whores

Thursday, April 29th, 2004

Looks like hadess,
mjcox,
gary
and dwmw2
have all taken a big overdose of the Red Hat drugs. So have I.

This Red Hat company meeting thing was a weird experience for
me. Realizing just how deeply rooted open source is in the Red Hat
culture. Realizing that what I’m hearing isn’t just the lip service to
open source that I heard in Sun. Seeing a real understanding of and
commitment to open source from each of the 600ish people
attending. Its like coming home or something. Man, I’m so psyched
after the whole thing.

Well, I’m pretty exhausted too :-)

$LD_LIBRARY_PATH Update

Wednesday, April 7th, 2004

Of course, Ulrich did know. The
System V ABI specification’s ELF section
contains the requirement
that $LD_LIBRARY_PATH have those semantics

   a string that holds a list of directories, separated by colons
   (:). For example, the string /home/dir/lib:/home/dir2/lib: tells the
   dynamic linker to search first the directory /home/dir/lib, then
   /home/dir2/lib, and then the current directory to find dependencies.
  

Moral of the story. Don’t do

  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/some/other/dir
  

Do this instead

  if [ -n $LD_LIBRARY_PATH ]; then
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/some/other/dir
  else
    export LD_LIBRARY_PATH=/some/other/dir
  fi
  

Or even

  export LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}/some/other/dir
  

Runtime Linker Voodoo

Tuesday, April 6th, 2004

Kjartan pointed out a report of a gnome-session security vulnerability
to me earlier today. Now, it turns out to actually only be a
vulnerability in a script supplied with certain distributors’ packages,
but that’s not the interesting part.

The script contained something like this:

  export LD_LIBRARY_PATH=/opt/gnome/lib:$LD_LIBRARY_PATH

and the “vulnerability” was apparently that if $LD_LIBRARY_PATH
was originally unset, then you get
LD_LIBRARY_PATH=”/opt/gnome/lib:”.

I couldn’t for the life of me understand why it was actually a
vulnerability in the first place. It gnawed at me all day. After a bit
of poking at the runtime linker code in glibc though I realized that
setting $LD_LIBRARY_PATH like that is effectively the same as
setting it to LD_LIBRARY_PATH=”/opt/gnome/lib:./”. The problem is
clear then – an attacker can use it to force a rogue, untrusted
library to be loaded that could do nasty things.

So, this whole LD_LIBRARY_PATH=”:” causing “./” to be added to
the runtime linker’s search path thing came as a big suprise to me and
to some others. I’d never heard of before, but it seems known to at
least some people and is “expected behavior”. What worries me here is
that its likely most attackers know to look out for this and most
developers don’t.

My long search for a normative reference for this behaviour failed. If
anyone knows where it comes from, I’m dead curious. I expect Ulrich
knows, though :-)

Another interesting thing to play with:

$> LD_DEBUG=help /lib/ld-linux.so.2
Valid options for the LD_DEBUG environment variable are:
 
  libs        display library search paths
  reloc       display relocation processing
  files       display progress for input file
  symbols     display symbol table processing
  bindings    display information about symbol binding
  versions    display version dependencies
  all         all previous options combined
  statistics  display relocation statistics
  help        display this help message and exit

I read a paper
from Ulrich
some time ago that gave lots of details on how to write
shared libraries such that the runtime linker can more efficiently
resolve symbols etc. LD_DEBUG=statistics, among other things,
is useful there. I’d love to see someone with the time and interest
looking into this and analyzing GNOME libraries to see where we can
make improvements.