Date: Thu, 07 Sep 2000 16:20:49 -0600 From: "Todd C. Miller" <Todd.Miller@courtesan.com> To: Kris Kennaway <kris@FreeBSD.org> Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>, "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Warner Losh <imp@village.org>, freebsd-security@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <200009072220.e87MKnj06972@xerxes.courtesan.com> In-Reply-To: Your message of "Thu, 07 Sep 2000 15:20:08 PDT." <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org> References: <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org> so spake Kris Kennaway (kris): > IMO, sudo (and all other similar "limited privilege" programs) needs to > take a positive filtering approach: disallow all variables by default, > except for those on a defined list of allowed variables for that > application. Yes, there's really no other way to win the 'battle' if you will. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009072220.e87MKnj06972>