Hi Christian,
yes I know that, was just a quick fix. Better is to put $ROOTSYS/test
in the library path (-rpath is not supported on all platforms, otherwise
that is the best solution).
-- Fons
PS: hope everybody takes you lesson to heart anyway.
On Fri, 2002-12-06 at 13:48, Christian Holm Christensen wrote:
> Hi all,
>
> Fons Rademakers <Fons.Rademakers@cern.ch> wrote concerning
> [ROOT] missing libEvent [05 Dec 2002 16:22:29 +0100]
> ----------------------------------------------------------------------
> > You should have one. Make sure that "." is in LD_LIBRARY_PATH.
>
> Having "." in ones LD_LIBRARY_PATH or PATH environment variables is a
> really bad idea. Witness this program:
>
> int main(int argc, char** argv)
> {
> pid_t pid = fork();
>
> if (!pid) { // child
> while (true) {
> sleep(EVIL_SLP);
> std::cout << EVIL_MSG << getpid() << std::endl;
> }
> }
> else { // parent
> argv[0] = GOOD_LS;
> execv(GOOD_LS, argv);
> }
> return 0;
> }
>
> Compile this into an executable called `ls', and put that in the
> current directory. Then try to execute `ls' normally - you'll execute
> a Trojan horse.
>
> You can play the same trick with a library (a C source file):
>
> void _init() {
> pid_t pid;
> pid = fork();
>
> setenv("LD_PRELOAD", EVIL_LIB);
> if (!pid) { // child
> while (1) {
> sleep(EVIL_SLP);
> printf("%s %d\n", EVIL_MSG, getpid());
> }
> }
> else
> dlopen("/lib/libc.so.6", RTLD_LAZY);
> }
>
> Compile this code into a shared library called `libc.so.6' and put it
> in the current directory - now execute _any_ command and you'll
> execute a Trojan horse.
>
> [An aside, to make this into a shared library on GNU/Linux, you need
> to specify the flag `-nostdlib' to the linker]
>
> As you can see, it's not recommendable to have relative paths in
> either LD_LIBRARY_PATH or PATH - you will be vulnerable to Trojan
> horses. Note, that this is entirely a user mistake - not a SysOp or
> OS mistake. _Always_ use absolute paths!
>
> Yours,
>
> ___ | Christian Holm Christensen
> |_| | -------------------------------------------------------------
> | | Address: Sankt Hansgade 23, 1. th. Phone: (+45) 35 35 96 91
> _| DK-2200 Copenhagen N Cell: (+45) 24 61 85 91
> _| Denmark Office: (+45) 353 25 305
> ____| Email: cholm@nbi.dk Web: www.nbi.dk/~cholm
> | |
--
Org: CERN, European Laboratory for Particle Physics.
Mail: 1211 Geneve 23, Switzerland
E-Mail: Fons.Rademakers@cern.ch Phone: +41 22 7679248
WWW: http://root.cern.ch/~rdm/ Fax: +41 22 7679480
This archive was generated by hypermail 2b29 : Sat Jan 04 2003 - 23:51:22 MET