From owner-freebsd-security Thu Sep 7 15:20:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B9CF37B43F; Thu, 7 Sep 2000 15:20:09 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA24042; Thu, 7 Sep 2000 15:20:09 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:20:08 -0700 (PDT) From: Kris Kennaway To: "Todd C. Miller" Cc: "Vladimir Mencl, MK, susSED" , "Andrey A. Chernov" , Warner Losh , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072215.e87MFtQ24652@xerxes.courtesan.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Todd C. Miller wrote: > Sudo already discards the following: This is taking the wrong approach. You can't hope to guess all of the "magic" environment variables which have special meaning on all platforms on which sudo may run and implement parallel restrictions in sudo. For (a somewhat contrived) example, under Foonix, libc might read a variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which works otherwise (for "debugging purposes" or whatever). If sudo doesnt filter this out, then users who can run 'sudo root safecommand' can also edit any file on the system. IMO, sudo (and all other similar "limited privilege" programs) needs to take a positive filtering approach: disallow all variables by default, except for those on a defined list of allowed variables for that application. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message