From: Rodolphe Ortalo <Rodolphe.Ortalo@cert.fr>
  To  : ggi-develop@eskimo.com
  Date: Tue, 03 Aug 1999 18:02:43 +0200

Re: Dynamic libs

Peter Åstrand wrote:

> >NB: If a user can 'overwrite' the GGI libs,or replace the kernel driver
> >with a 'customized' version : then he is already root in the system...
>
> What about LD_PRELOAD and LD_LIBRARY_PATH?

This should affect only the GGI libs of the user that sets these
two variables himself: it should not have any special effect on
the kernel driver, nor on other users which have different paths.

If the kernel driver integrity is not compromised, we can
expect the hardware to remain safe, and the various users
to remain isolated from each other's mistakes. (Unless the
driver is buggy, of course.) [1]

And, if the user wants to put a trojan horse for himself, why
not ? :-)

More seriously, this can be a problem if, e.g., Alice
adds these commands into the .login file of Bob to
have him load 'modified' userspace libraries in order,
e.g., to read the text Bob is typing (euh, displaying in fact).
Confidentiality and I/O are always problematic... (and
ciphering the framebuffer does not help much ;-) )

But then, the security problem is in the '.login' integrity,
or the ld.so user configuration mechanisms, not really in
the way the userspace library interacts with the kernel
driver.

Well, that's tricky to set up the security of a modern
'normal' Unix system anyway... But, as I always say,
a computer system primarily aims at massive information
sharing and treatment so... that's what it does.


Rodolphe

[1] A similar assumption is needed for the system
file /etc/ld.so.conf (or also modules.conf btw if you
use a modular driver).