Re: SECURITY PROBLEM OR NOT

From: Ian G Batten (I.G.Batten@batten.eu.org)
Date: 11/27/02


From: Ian G Batten <I.G.Batten@batten.eu.org>
Date: 27 Nov 2002 12:43:22 GMT

In article <87el97jmhd.fsf@pele.r.caley.org.uk>,
Richard Caley <MYFIRSTNAME@MYLASTNAME.org.uk> wrote:
> I don't know enough about C2 the interpretation of the certification
> rules to comment in detail, but it doesn't seem to me that it should
> be an issue. Of course, if some system proces put secret information
> in the environment, that would be an issue.

Quite. It's a breach of the higher levels, because clearly you can use
process names, arguments and environment variables as a covert channel.
And quite a high bandwidth one, too. But that's not relevent at C2.

> Conisder, how is it different from the fact that if you put secret
> information in a world readable file in /tmp/ it will be visible to
> everyone?

For people who've actually written code on Unix and know how closely
related the command line arguments and the environment variables are,
it's no surprise. I guess that the naive might be aware that the
command line is public, but slightly surprised by the environment not
being private.

ian