The only thing I would state is that setuid programs, on most UNIXes, ignore the LD_LIBRARY_PATH.
I would also note that LD_LIBRARY_PATH is NOT universal. On OSX, DYLD_LIBRARY_PATH is the equivalent, but there's also other environment variables which can do the same thing. And this doesn't even begin to mention LD_PRELOAD. What's your threat model? What's your need? -Kyle H On Fri, Apr 18, 2008 at 3:28 PM, David Schwartz <[EMAIL PROTECTED]> wrote: > > > Thanks for your response. Shipping my own version of openssl is ruled > > out. So I have to trust the system installed one. Think at least on some > > Unix systems, LD_LIBRARY_PATH is searched first. > > Right, this is beause: > > 1) A library cannot do any harm the user could not do directly. So there's > no point in preventing him from replacing system libraries. > > 2) The user may need to replace a system library for a given application for > various reasons, including if the system library has a bug that other > programs rely on. > > > > I worry Trojan horses > > hidden there. I am advised to zeroing-out this env variable before > > loading openssl. > > I would not advise this. At least as likely as a trojan is that the > system-installed one has a problem and the user has installed a fixed > OpenSSL build. The trojan can just as easily intercept your programs file > operations to redirect the attempt to link to the system-installed OpenSSL > to be to a user-provided one. > > > > What else I can do? > > Consider very carefully whether protecting the user from himself is worth > preventing him from protecting himself. > > It's very hard to give you advice without having any understanding of what > your threat model is. For example, if your program is designed to protect > banking transactions, that's a very different threat model from if your > program is designed to protect its own licensing. > > > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
