Re: ldd error with setuid/setgid binaries
From: "Theo de Raadt" Subject: Re: ldd error with setuid/setgid binaries Date: Wed, 18 Oct 2023 10:01:34 -0600 > But anyways, you are not talking about OpenBSD. I am using the normal OpenBSD 7.4 installation from ftp.jaist.ac.jp, one of the official mirrors. I am talking about that, not anything else.
Re: ldd error with setuid/setgid binaries
On Wed, Oct 18, 2023 at 09:38:32PM +0200, Theo Buehler wrote: > On Thu, Oct 19, 2023 at 01:39:00AM +0900, Yoshihiro Kawamata wrote: > > From: Marc Espie > > Subject: Re: ldd error with setuid/setgid binaries > > Date: Wed, 18 Oct 2023 18:04:45 +0200 > > > > > objdump -p > > > will be as good. > > > > > > Yes, it does not recurse, but it doesn't need to, since you also > > > want to wipe libraries that link with old libraries. > > > > This seems to be easier to parse in a shell script than "readelf -d". > > If you need recursion you may want to try lddtree from devel/pax-utils. > Admittedly, I think what Yoshihiro-kun is trying to achieve may be under the realm of sysclean.
Re: ldd error with setuid/setgid binaries
On Thu, Oct 19, 2023 at 01:39:00AM +0900, Yoshihiro Kawamata wrote: > From: Marc Espie > Subject: Re: ldd error with setuid/setgid binaries > Date: Wed, 18 Oct 2023 18:04:45 +0200 > > > objdump -p > > will be as good. > > > > Yes, it does not recurse, but it doesn't need to, since you also > > want to wipe libraries that link with old libraries. > > This seems to be easier to parse in a shell script than "readelf -d". If you need recursion you may want to try lddtree from devel/pax-utils.
Re: ldd error with setuid/setgid binaries
From: Stuart Henderson Subject: Re: ldd error with setuid/setgid binaries Date: Wed, 18 Oct 2023 13:58:26 +0100 > There are two approaches. > > - use another tool to read the ELF header and parse NEEDED entries > from that. several are available (including at least one which will > recurse to show inter-library dependencies too, though I forget > what it's called) > > - provide an alternative binary which _can_ be executed by ldd It would be possible to create an alternative script using "readelf -d". Thanks for the suggestion. Yoshihiro Kawamata https://fuguita.org/
Re: ldd error with setuid/setgid binaries
From: Marc Espie Subject: Re: ldd error with setuid/setgid binaries Date: Wed, 18 Oct 2023 18:04:45 +0200 > objdump -p > will be as good. > > Yes, it does not recurse, but it doesn't need to, since you also > want to wipe libraries that link with old libraries. This seems to be easier to parse in a shell script than "readelf -d". Thank you very much.
Re: ldd error with setuid/setgid binaries
On Wed, Oct 18, 2023 at 11:41:12PM +0900, Yoshihiro Kawamata wrote: > From: "Theo de Raadt" > Subject: Re: ldd error with setuid/setgid binaries > Date: Wed, 18 Oct 2023 06:35:51 -0600 > > > You don't explain why you need to do this. You just completely skipped > > that. > > You don't justify why you need it to work. Does that make me care?? No, it > > really doesn't make me care. > > This is to find executable binaries that use old shared libraries that > no longer exist after an OS upgrade. > objdump -p will be as good. Yes, it does not recurse, but it doesn't need to, since you also want to wipe libraries that link with old libraries.
Re: ldd error with setuid/setgid binaries
Yoshihiro Kawamata wrote: > From: "Theo de Raadt" > Subject: Re: ldd error with setuid/setgid binaries > Date: Wed, 18 Oct 2023 06:35:51 -0600 > > > You don't explain why you need to do this. You just completely skipped > > that. > > You don't justify why you need it to work. Does that make me care?? No, it > > really doesn't make me care. > > This is to find executable binaries that use old shared libraries that > no longer exist after an OS upgrade. But anyways, you are not talking about OpenBSD.
Re: ldd error with setuid/setgid binaries
From: "Theo de Raadt" Subject: Re: ldd error with setuid/setgid binaries Date: Wed, 18 Oct 2023 06:35:51 -0600 > You don't explain why you need to do this. You just completely skipped that. > You don't justify why you need it to work. Does that make me care?? No, it > really doesn't make me care. This is to find executable binaries that use old shared libraries that no longer exist after an OS upgrade.
Re: ldd error with setuid/setgid binaries
Stuart Henderson wrote: > On 2023/10/18 06:35, Theo de Raadt wrote: > > ldd around suid programs has a fine history of security holes. > > > > One idea is for you to just not not do that. > > > > You don't explain why you need to do this. You just completely skipped > > that. > > You don't justify why you need it to work. Does that make me care?? No, it > > really doesn't make me care. > > The usual reason for this is to find libraries needed to copy into > a chroot jail to make some binary work. > > > > How can I solve this? Please let me know if you have any good > > > alternatives. > > There are two approaches. > > - use another tool to read the ELF header and parse NEEDED entries > from that. several are available (including at least one which will > recurse to show inter-library dependencies too, though I forget > what it's called) > > - provide an alternative binary which _can_ be executed by ldd > No Stuart, I don't care because he doesn't care to tell us why he needs this. It remains possible to simply not need to inspect those programs. I doubt setuid programs are being copied into a chroot jail. But, mostly I don't care because I'm sick and tired of 'bug reports' that don't explain the usage case. ldd's environment variable game has had holes, and all the valiant attempts we make will create holes in the future, I'd bet money on it.
Re: ldd error with setuid/setgid binaries
On 2023/10/18 06:35, Theo de Raadt wrote: > ldd around suid programs has a fine history of security holes. > > One idea is for you to just not not do that. > > You don't explain why you need to do this. You just completely skipped that. > You don't justify why you need it to work. Does that make me care?? No, it > really doesn't make me care. The usual reason for this is to find libraries needed to copy into a chroot jail to make some binary work. > > How can I solve this? Please let me know if you have any good > > alternatives. There are two approaches. - use another tool to read the ELF header and parse NEEDED entries from that. several are available (including at least one which will recurse to show inter-library dependencies too, though I forget what it's called) - provide an alternative binary which _can_ be executed by ldd
Re: ldd error with setuid/setgid binaries
ldd around suid programs has a fine history of security holes. One idea is for you to just not not do that. You don't explain why you need to do this. You just completely skipped that. You don't justify why you need it to work. Does that make me care?? No, it really doesn't make me care. Yoshihiro Kawamata wrote: > From: Stuart Henderson > Subject: Re: ldd error with setuid/setgid binaries > Date: Wed, 18 Oct 2023 10:00:19 - (UTC) > > > ldd started using execpromises, and: > > > > /* SUID programs may not be started with execpromises */ > > I see. thank you. > I created and used a shell script to create a list of dynamic link > libraries used for all commands: > > #!/bin/sh > [[ -z "$1" ]] && set / > > find "$@" \ > \! -fstype local -prune \ > -o \ > -type f \ > \( -perm -100 -o -perm -010 -o -perm -001 \) \ > -print \ > | xargs file \ > | awk ' > BEGIN {FS=":"} > /ELF 64-bit LSB shared object/ {print $1}' \ > | xargs ldd \ > | awk ' > /^\/.*:$/ {fname = $1; sub(/:/, "", fname)} > $3 == "rlib" {print $7, fname}' \ > | sort > > But this no longer works properly on OpenBSD 4.7. > > How can I solve this? Please let me know if you have any good > alternatives. > > > Yoshihiro Kawamata > https://fuguita.org/ >
Re: ldd error with setuid/setgid binaries
From: Stuart Henderson Subject: Re: ldd error with setuid/setgid binaries Date: Wed, 18 Oct 2023 10:00:19 - (UTC) > ldd started using execpromises, and: > > /* SUID programs may not be started with execpromises */ I see. thank you. I created and used a shell script to create a list of dynamic link libraries used for all commands: #!/bin/sh [[ -z "$1" ]] && set / find "$@" \ \! -fstype local -prune \ -o \ -type f \ \( -perm -100 -o -perm -010 -o -perm -001 \) \ -print \ | xargs file \ | awk ' BEGIN {FS=":"} /ELF 64-bit LSB shared object/ {print $1}' \ | xargs ldd \ | awk ' /^\/.*:$/ {fname = $1; sub(/:/, "", fname)} $3 == "rlib" {print $7, fname}' \ | sort But this no longer works properly on OpenBSD 4.7. How can I solve this? Please let me know if you have any good alternatives. Yoshihiro Kawamata https://fuguita.org/
Re: ldd error with setuid/setgid binaries
On 2023-10-18, Yoshihiro Kawamata wrote: > In OpenBSD 7.4, running ldd on a setuid or setgid executable returns > an error. Why is this? ldd started using execpromises, and: /* SUID programs may not be started with execpromises */
ldd error with setuid/setgid binaries
In OpenBSD 7.4, running ldd on a setuid or setgid executable returns an error. Why is this? # ls -l atrm -r-xr-sr-x 1 root crontab 34864 Oct 10 23:41 atrm # ldd atrm atrm: atrm: Permission denied atrm: exit status 1 # chmod g-s atrm # ls -l atrm -r-xr-xr-x 1 root crontab 34864 Oct 10 23:41 atrm # ldd atrm atrm: StartEnd Type Open Ref GrpRef Name 0512c652d000 0512c6539000 exe 10 0 atrm 0514fad79000 0514fae73000 rlib 01 0 /usr/lib/libc.so.97.1 0515abed4000 0515abed4000 ld.so 01 0 /usr/libexec/ld.so Until OpenBSD 7.3, such errors did not occur. Yoshihiro Kawamata https://fuguita.org/