From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 18:54:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AA7216A4CE for ; Fri, 27 Feb 2004 18:54:04 -0800 (PST) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8351D43D2F for ; Fri, 27 Feb 2004 18:54:03 -0800 (PST) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.10/8.12.10) with ESMTP id i1S2s1LI053885 for ; Sat, 28 Feb 2004 15:54:01 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Sat, 28 Feb 2004 15:54:01 +1300 (NZDT) From: Andrew McNaughton To: freebsd-security@freebsd.org In-Reply-To: <20040227112029.GA736@straylight.m.ringlet.net> Message-ID: <20040228144701.H18919@a2.scoop.co.nz> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <20040227111353.GA14777@sheol.localdomain> <20040227112029.GA736@straylight.m.ringlet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 02:54:04 -0000 On Fri, 27 Feb 2004, Peter Pentchev wrote: > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > > > > > Andrey Chernov wrote: > > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > > > >why others not see it first. > > > > > > Instead, I've decided to follow Jacques Vidrine's > > > suggestion of using a whitelist of environment variables > > > that are "known-safe." Sounds sensible for me, but it exagerates the need for a configuration file. In the sudo man page under 'SECURITY NOTES', there's some details of a blacklist approach taken by sudo, dealing with similar issues. Worth looking at while considering the extent of this problem, and because omissions in sudo's blacklist are likely to have been discussed somewhere already. > > Coming in from left field... Will there be some sort of mechanism for > > an admin to set/modify this list? > Surely you are aware of the consequences of s/admin/intruder/? :) > Still, it might be useful indeed. If the intruder already has root, there's not much to lose here. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc