Re: Environment Poisoning and login -p
From: Tim Kientzle (tim_at_kientzle.com)
Date: 02/27/04
- Previous message: Cy Schubert: "krb5-1.3.2 is released (fwd)"
- In reply to: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Next in thread: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Reply: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Reply: D J Hawkey Jr: "Re: Environment Poisoning and login -p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Feb 2004 15:03:41 -0800 To: Andrey Chernov <ache@nagual.pp.ru>
Andrey Chernov wrote:
> On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
>
>>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH
>>and LD_PRELOAD from the environment, even if "-p" is specified.
>
> Yes! It is what I say from very beginning. It is so obvious that I wonder
> why others not see it first.
It is obvious, it's just not very safe. In general,
blacklist approaches are pretty poor; it's
hard to make sure you've caught everything
and future changes to other parts of the system
can easily open new problems.
Instead, I've decided to follow Jacques Vidrine's
suggestion of using a whitelist of environment variables
that are "known-safe."
Tim Kientzle
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Cy Schubert: "krb5-1.3.2 is released (fwd)"
- In reply to: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Next in thread: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Reply: Andrey Chernov: "Re: Environment Poisoning and login -p"
- Reply: D J Hawkey Jr: "Re: Environment Poisoning and login -p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
