LD_LIBRARY_PATH env corruption when using setuid

From: Ajay Nautiyal <sxan_at_java.sois.alaska.edu>
Date: Tue, 03 Mar 1998 07:52:18 -0900

Howdy folks,
        Has anyone ever had a problem with setuid corrupting the LD_LIBRARY_PATH environment variable? This problem occurs on both DU 3.2g and 4.0b. We used the following program to test the different systems, it seems that when the setuid bit is set and a different user, than the one for whom the setuid bit is set, executes the program the LD_LIBRARY_PATH environment variable get changed to including the users real uid and gid. If the LD_LIBRARY_PATH is not set no corruption occurs. If the setuid bit is not set, no corruption occurs. If the user executing the program is the same as the user for whom the setuid bit was set, no corruption occurs. The corruption is always consist ant, the uid and gid numbers are inserted at the beginning. Has anyone seen or heard of this before? Any help would be appreciated.

TIA.

The test program:

#include <stdlib.h>

main( int argc, char **argv, char** envr)

{
  char ** p = envr;
  char *s;
  int i=1;
  char * ld_library_path;

  while (*p)
    {
      printf("%d : %s\n", i++, *p++ );
    }
  
  ld_library_path = getenv("LD_LIBRARY_PATH");
  printf("ld_library_path: %s\n", ld_library_path);
}

after compiling the program, I set the suid bit for root, and executed the program. The output looked like this:

[clip]
LD_LIBRARY_PATH=91411/tmp:/usr/bin:/usr/local/bin
[clip]

If you need any more information, please email me. Thanks.
Ajay Nautiyal - sxan_at_ts.sois.alaska.edu
Systems Programmer
Received on Tue Mar 03 1998 - 17:54:41 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:37 NZDT