Re: System call hooking in 2.6 kernel..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 11, 2008 at 3:34 PM, Matthias Kaehlcke
<matthias@xxxxxxxxxxxx> wrote:
> El Tue, Nov 11, 2008 at 02:29:34PM +0530 sandeep lahane ha dit:
>
>> Can you elaborate a little please?
>
> the sysadmin sets LD_PRELOAD to /lib/libunlinkwrapper.so which
> overrides the unlink() system call to add logging.
>
> now a nasty user wants to delete a file using unlink() (though she
> could use others to change the content of the file) without being
> traced by the sysadmin. to achieve this she could execute:
> LD_PRELOAD= rm <important_file>
>
> as LD_PRELOAD has been reset the overriden unlink() function of
> /lib/libunlinkwrapper.so would not be called
>
> --
> Matthias Kaehlcke
> Embedded Linux Engineer
> Barcelona
>
>    Ma patrie est où je suis, où personne ne me dérange, où personne
>    ne me demande que je suis, d'où je viens et ce que je fais
>                              (B. Traven)
>                                                                 .''`.
>    using free software / Debian GNU/Linux | http://debian.org  : :'  :
>                                                                `. `'`
> gpg --keyserver pgp.mit.edu --recv-keys 47D8E5D4                  `-
>


Got your point.
But IMHO, the order in which libs are preloaded matters i.e. if unlink
is wrapped in two libs good.so and bad.so
and good.so is preloaded earlier, say in ld.so.preload, and bad.so is
preloaded later on, unlink in good.so will be
called first. If this is correct then, it's just matter of who gets to
the machine first and preloads his/her lib.

I think if this care is taken then, OPs problem is easier to solve.
-- 
Regards,
Sandeep.

--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ



[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux