Date: Thu, 7 Sep 2000 17:23:43 -0500 From: Brad Guillory <round@baileylink.net> To: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000907172343.F30681@baileylink.net> In-Reply-To: <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Thu, Sep 07, 2000 at 03:20:08PM -0700 References: <200009072215.e87MFtQ24652@xerxes.courtesan.com> <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The _best_ method would be to convience the OS to run it's own checks on
the environment etc just as it would have if it were suid.
I can not think of a way to do this.
On Thu, Sep 07, 2000 at 03:20:08PM -0700, Kris Kennaway wrote:
> On Thu, 7 Sep 2000, Todd C. Miller wrote:
>
> > Sudo already discards the following:
>
> This is taking the wrong approach. You can't hope to guess all of the
> "magic" environment variables which have special meaning on all platforms
> on which sudo may run and implement parallel restrictions in sudo.
>
> For (a somewhat contrived) example, under Foonix, libc might read a
> variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which
> works otherwise (for "debugging purposes" or whatever). If sudo doesnt
> filter this out, then users who can run 'sudo root safecommand' can also
> edit any file on the system.
>
> IMO, sudo (and all other similar "limited privilege" programs) needs to
> take a positive filtering approach: disallow all variables by default,
> except for those on a defined list of allowed variables for that
> application.
>
> Kris
>
> --
> In God we Trust -- all others must submit an X.509 certificate.
> -- Charles Forsythe <forsythe@alum.mit.edu>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
__O | Information wants to be free! | __O Bike
_-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to
(_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000907172343.F30681>