2014-02-16 23:36 GMT+01:00 Frank Brodbeck <f...@guug.de>: > I am not sure what point it is you are trying to make but: > > $ LD_PRELOAD=./id0 sh > \u@\h:\w\n$ id -un > root > \u@\h:\w\n$ less /etc/master.passwd > /etc/master.passwd: Permission denied > \u@\h:\w\n$ ls -l /etc/master.passwd > -rw------- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd > \u@\h:\w\n$
again: --- Nothing (it's safe to self-test, so have fun). id (or whoami) think that calls functions from libc, but it really calls functions that are loaded by LD_PRELOAD. These fake functions return 0, so id (whoami) think that you are root. --- This means that you don't have root access (or uid 0), but id (whoami) think that you are root (uid 0). If you put something more dangerous in a function such as readpassphrase(), you can e.g. capture the passwords etc. This example shows that using LD_PRELOAD you can inject your own code on OpenBSD. I hope that now it is more understandable. Daniel
