From owner-freebsd-security  Thu Sep  7 15:23:51 2000
Delivered-To: freebsd-security@freebsd.org
Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24])
	by hub.freebsd.org (Postfix) with ESMTP id 22ED937B423
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Sep 2000 15:23:48 -0700 (PDT)
Received: by testbed.baileylink.net (Postfix, from userid 1118)
	id 7EAFD2C90A; Thu,  7 Sep 2000 17:23:44 -0500 (CDT)
Date: Thu, 7 Sep 2000 17:23:43 -0500
From: Brad Guillory <round@baileylink.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: UNIX locale format string vulnerability (fwd)
Message-ID: <20000907172343.F30681@baileylink.net>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <200009072215.e87MFtQ24652@xerxes.courtesan.com> <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Thu, Sep 07, 2000 at 03:20:08PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The _best_ method would be to convience the OS to run it's own checks on
the environment etc just as it would have if it were suid.

I can not think of a way to do this.

On Thu, Sep 07, 2000 at 03:20:08PM -0700, Kris Kennaway wrote:
> On Thu, 7 Sep 2000, Todd C. Miller wrote:
> 
> > Sudo already discards the following:
> 
> This is taking the wrong approach. You can't hope to guess all of the
> "magic" environment variables which have special meaning on all platforms
> on which sudo may run and implement parallel restrictions in sudo.
> 
> For (a somewhat contrived) example, under Foonix, libc might read a
> variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which
> works otherwise (for "debugging purposes" or whatever). If sudo doesnt
> filter this out, then users who can run 'sudo root safecommand' can also
> edit any file on the system.
> 
> IMO, sudo (and all other similar "limited privilege" programs) needs to
> take a positive filtering approach: disallow all variables by default,
> except for those on a defined list of allowed variables for that
> application.
> 
> Kris
> 
> --
> In God we Trust -- all others must submit an X.509 certificate.
>     -- Charles Forsythe <forsythe@alum.mit.edu>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
    __O    |     Information wants to be free!     |     __O    Bike
  _-\<,_   |  FreeBSD:The Power to Serve (easily)  |   _-\<,_    to
 (_)/ (_)  | OpenBSD:The Power to Serve (securely) |  (_)/ (_)  Work


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message