Re: ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

From: "Theo de Raadt" 
Subject: Re: ldd error with setuid/setgid binaries
Date: Wed, 18 Oct 2023 10:01:34 -0600

> But anyways, you are not talking about OpenBSD.

I am using the normal OpenBSD 7.4 installation from ftp.jaist.ac.jp,
one of the official mirrors.
I am talking about that, not anything else.

Re: ldd error with setuid/setgid binaries

[Marc Espie]

On Wed, Oct 18, 2023 at 09:38:32PM +0200, Theo Buehler wrote:
> On Thu, Oct 19, 2023 at 01:39:00AM +0900, Yoshihiro Kawamata wrote:
> > From: Marc Espie 
> > Subject: Re: ldd error with setuid/setgid binaries
> > Date: Wed, 18 Oct 2023 18:04:45 +0200
> > 
> > > objdump -p
> > > will be as good.
> > > 
> > > Yes, it does not recurse, but it doesn't need to, since you also
> > > want to wipe libraries that link with old libraries.
> > 
> > This seems to be easier to parse in a shell script than "readelf -d".
> 
> If you need recursion you may want to try lddtree from devel/pax-utils.
> 
Admittedly, I think what Yoshihiro-kun is trying to achieve
may be under the realm of sysclean.

Re: ldd error with setuid/setgid binaries

[Theo Buehler]

On Thu, Oct 19, 2023 at 01:39:00AM +0900, Yoshihiro Kawamata wrote:
> From: Marc Espie 
> Subject: Re: ldd error with setuid/setgid binaries
> Date: Wed, 18 Oct 2023 18:04:45 +0200
> 
> > objdump -p
> > will be as good.
> > 
> > Yes, it does not recurse, but it doesn't need to, since you also
> > want to wipe libraries that link with old libraries.
> 
> This seems to be easier to parse in a shell script than "readelf -d".

If you need recursion you may want to try lddtree from devel/pax-utils.

Re: ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

From: Stuart Henderson 
Subject: Re: ldd error with setuid/setgid binaries
Date: Wed, 18 Oct 2023 13:58:26 +0100

> There are two approaches.
> 
> - use another tool to read the ELF header and parse NEEDED entries
> from that. several are available (including at least one which will
> recurse to show inter-library dependencies too, though I forget
> what it's called)
> 
> - provide an alternative binary which _can_ be executed by ldd

It would be possible to create an alternative script using "readelf -d".

Thanks for the suggestion.


Yoshihiro Kawamata
https://fuguita.org/

Re: ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

From: Marc Espie 
Subject: Re: ldd error with setuid/setgid binaries
Date: Wed, 18 Oct 2023 18:04:45 +0200

> objdump -p
> will be as good.
> 
> Yes, it does not recurse, but it doesn't need to, since you also
> want to wipe libraries that link with old libraries.

This seems to be easier to parse in a shell script than "readelf -d".

Thank you very much.

Re: ldd error with setuid/setgid binaries

[Marc Espie]

On Wed, Oct 18, 2023 at 11:41:12PM +0900, Yoshihiro Kawamata wrote:
> From: "Theo de Raadt" 
> Subject: Re: ldd error with setuid/setgid binaries
> Date: Wed, 18 Oct 2023 06:35:51 -0600
> 
> > You don't explain why you need to do this.  You just completely skipped 
> > that.
> > You don't justify why you need it to work.  Does that make me care?? No, it
> > really doesn't make me care.
> 
> This is to find executable binaries that use old shared libraries that
> no longer exist after an OS upgrade.
> 

objdump -p
will be as good.

Yes, it does not recurse, but it doesn't need to, since you also
want to wipe libraries that link with old libraries.

Re: ldd error with setuid/setgid binaries

[Theo de Raadt]

Yoshihiro Kawamata  wrote:

> From: "Theo de Raadt" 
> Subject: Re: ldd error with setuid/setgid binaries
> Date: Wed, 18 Oct 2023 06:35:51 -0600
> 
> > You don't explain why you need to do this.  You just completely skipped 
> > that.
> > You don't justify why you need it to work.  Does that make me care?? No, it
> > really doesn't make me care.
> 
> This is to find executable binaries that use old shared libraries that
> no longer exist after an OS upgrade.

But anyways, you are not talking about OpenBSD.

Re: ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

From: "Theo de Raadt" 
Subject: Re: ldd error with setuid/setgid binaries
Date: Wed, 18 Oct 2023 06:35:51 -0600

> You don't explain why you need to do this.  You just completely skipped that.
> You don't justify why you need it to work.  Does that make me care?? No, it
> really doesn't make me care.

This is to find executable binaries that use old shared libraries that
no longer exist after an OS upgrade.

Re: ldd error with setuid/setgid binaries

[Theo de Raadt]

Stuart Henderson  wrote:

> On 2023/10/18 06:35, Theo de Raadt wrote:
> > ldd around suid programs has a fine history of security holes.
> > 
> > One idea is for you to just not not do that.
> > 
> > You don't explain why you need to do this.  You just completely skipped 
> > that.
> > You don't justify why you need it to work.  Does that make me care?? No, it
> > really doesn't make me care.
> 
> The usual reason for this is to find libraries needed to copy into
> a chroot jail to make some binary work.
> 
> > > How can I solve this? Please let me know if you have any good
> > > alternatives.
> 
> There are two approaches.
> 
> - use another tool to read the ELF header and parse NEEDED entries
> from that. several are available (including at least one which will
> recurse to show inter-library dependencies too, though I forget
> what it's called)
> 
> - provide an alternative binary which _can_ be executed by ldd
> 

No Stuart, I don't care because he doesn't care to tell us why he needs
this.  It remains possible to simply not need to inspect those programs.

I doubt setuid programs are being copied into a chroot jail.

But, mostly I don't care because I'm sick and tired of 'bug reports'
that don't explain the usage case.

ldd's environment variable game has had holes, and all the valiant
attempts we make will create holes in the future, I'd bet money on it.

Re: ldd error with setuid/setgid binaries

[Stuart Henderson]

On 2023/10/18 06:35, Theo de Raadt wrote:
> ldd around suid programs has a fine history of security holes.
> 
> One idea is for you to just not not do that.
> 
> You don't explain why you need to do this.  You just completely skipped that.
> You don't justify why you need it to work.  Does that make me care?? No, it
> really doesn't make me care.

The usual reason for this is to find libraries needed to copy into
a chroot jail to make some binary work.

> > How can I solve this? Please let me know if you have any good
> > alternatives.

There are two approaches.

- use another tool to read the ELF header and parse NEEDED entries
from that. several are available (including at least one which will
recurse to show inter-library dependencies too, though I forget
what it's called)

- provide an alternative binary which _can_ be executed by ldd

Re: ldd error with setuid/setgid binaries

[Theo de Raadt]

ldd around suid programs has a fine history of security holes.

One idea is for you to just not not do that.

You don't explain why you need to do this.  You just completely skipped that.
You don't justify why you need it to work.  Does that make me care?? No, it
really doesn't make me care.

Yoshihiro Kawamata  wrote:

> From: Stuart Henderson 
> Subject: Re: ldd error with setuid/setgid binaries
> Date: Wed, 18 Oct 2023 10:00:19 - (UTC)
> 
> > ldd started using execpromises, and:
> > 
> > /* SUID programs may not be started with execpromises */
> 
> I see. thank you.
> I created and used a shell script to create a list of dynamic link
> libraries used for all commands:
> 
>   #!/bin/sh
>   [[ -z "$1" ]] && set /
> 
>   find "$@" \
>   \! -fstype local -prune \
>   -o \
>   -type f \
>   \( -perm -100 -o -perm -010 -o -perm -001 \) \
>   -print \
>   | xargs file \
>   | awk '
>   BEGIN {FS=":"}
>   /ELF 64-bit LSB shared object/ {print $1}' \
>   | xargs ldd \
>   | awk '
>  /^\/.*:$/ {fname = $1; sub(/:/, "", fname)}
>  $3 == "rlib" {print $7, fname}' \
>   | sort
> 
> But this no longer works properly on OpenBSD 4.7.
> 
> How can I solve this? Please let me know if you have any good
> alternatives.
> 
> 
> Yoshihiro Kawamata
> https://fuguita.org/
> 

Re: ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

From: Stuart Henderson 
Subject: Re: ldd error with setuid/setgid binaries
Date: Wed, 18 Oct 2023 10:00:19 - (UTC)

> ldd started using execpromises, and:
> 
> /* SUID programs may not be started with execpromises */

I see. thank you.
I created and used a shell script to create a list of dynamic link
libraries used for all commands:

  #!/bin/sh
  [[ -z "$1" ]] && set /

  find "$@" \
  \! -fstype local -prune \
  -o \
  -type f \
  \( -perm -100 -o -perm -010 -o -perm -001 \) \
  -print \
  | xargs file \
  | awk '
  BEGIN {FS=":"}
  /ELF 64-bit LSB shared object/ {print $1}' \
  | xargs ldd \
  | awk '
 /^\/.*:$/ {fname = $1; sub(/:/, "", fname)}
 $3 == "rlib" {print $7, fname}' \
  | sort

But this no longer works properly on OpenBSD 4.7.

How can I solve this? Please let me know if you have any good
alternatives.


Yoshihiro Kawamata
https://fuguita.org/

Re: ldd error with setuid/setgid binaries

[Stuart Henderson]

On 2023-10-18, Yoshihiro Kawamata  wrote:
> In OpenBSD 7.4, running ldd on a setuid or setgid executable returns
> an error. Why is this?

ldd started using execpromises, and:

/* SUID programs may not be started with execpromises */

ldd error with setuid/setgid binaries

[Yoshihiro Kawamata]

In OpenBSD 7.4, running ldd on a setuid or setgid executable returns
an error. Why is this?

  # ls -l atrm
  -r-xr-sr-x  1 root  crontab  34864 Oct 10 23:41 atrm
  # ldd atrm
  atrm:
  atrm: Permission denied
  atrm: exit status 1
  # chmod g-s atrm
  # ls -l atrm
  -r-xr-xr-x  1 root  crontab  34864 Oct 10 23:41 atrm
  # ldd atrm
  atrm:
  StartEnd  Type  Open Ref GrpRef Name
  0512c652d000 0512c6539000 exe   10   0  atrm
  0514fad79000 0514fae73000 rlib  01   0  
/usr/lib/libc.so.97.1
  0515abed4000 0515abed4000 ld.so 01   0  
/usr/libexec/ld.so

Until OpenBSD 7.3, such errors did not occur.


Yoshihiro Kawamata
https://fuguita.org/