[Qt5-feedback] Fwd: Re: Qt major versions
Konstantin Tokarev
annulen at yandex.ru
Wed Jun 8 11:43:01 CEST 2011
08.06.2011, 12:55, "Till Oliver Knoll" <till.oliver.knoll at gmail.com>:
> That would mean there was NO way on Linux/Unix to make sure an executable is picking up a lib from a well-defined location! And simply pointing LD_LIBRARY_PATH to a malicious lib would open that lib instead of the proper one (and maybe that lib would even inherit root access!).
>
> Setting LD_LIBRARY_PATH in your own start script would not help: I would simply ignore your script and call the executable directly (or via my own malicious script).
>
Right - but Unix systems don't assume that user himself is a potential malefactor. So user certainly has a right to set LD_LIBRARY_PATH to desired value or call application directly (but no one knows what will happen than ;)
On the other hand, malicious code may insert LD_LIBRARY_PATH into ~/.bash_profile, download some evil libs somewhere into deep hole of ~/.config (that's why I hate these newfangled "black holes" inside $HOME), and they can be accidentally used after the next shell login.
> I am sure I am missing something here, so Captain Obvious please speak up :)
There is a way to ensure that application loads libraries from certain locations: load them with dlopen.
--
Regards,
Konstantin
More information about the Qt5-feedback
mailing list