From owner-freebsd-hackers  Mon Oct 23 16:20:31 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id QAA05785
          for hackers-outgoing; Mon, 23 Oct 1995 16:20:31 -0700
Received: from aslan.cdrom.com (aslan.cdrom.com [192.216.223.142])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id QAA05775
          for <freebsd-hackers@freebsd.org>; Mon, 23 Oct 1995 16:20:29 -0700
Received: from localhost.cdrom.com (localhost.cdrom.com [127.0.0.1]) by aslan.cdrom.com (8.6.12/8.6.9) with SMTP id QAA21109; Mon, 23 Oct 1995 16:19:58 -0700
Message-Id: <199510232319.QAA21109@aslan.cdrom.com>
X-Authentication-Warning: aslan.cdrom.com: Host localhost.cdrom.com didn't use HELO protocol
To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A.
    Chernov, Black Mage) <ache@astral.msk.su>
cc: ache@freefall.freebsd.org, John Polstra <jdp@polstra.com>,
        freebsd-hackers@freebsd.org
Subject: Re: ld.so, LD_NOSTD_PATH, and suid/sgid programs 
In-reply-to: Your message of "Tue, 24 Oct 1995 01:39:38 +0300."
             <Aagc1ZmOzJ@ache.dialup.demos.ru> 
Date: Mon, 23 Oct 1995 16:19:58 -0700
From: "Justin T. Gibbs" <gibbs@freefall.freebsd.org>
Sender: owner-hackers@freebsd.org
Precedence: bulk

>In message <m0t7SFB-000078C@seattle.polstra.com> John Polstra writes:
>
>>Can you see a security reason for disabling LD_NOSTD_PATH for suid/sgid
>>programs?  If not, I think that the recent change should be removed from
>>rtld.c.
>
>In this case I keep in mind some shell script execution which calls
>setuid programs. By setiing LD_NOSTD_PATH user allows such
>programs easily fails, it is clear. Here can be very unpleasant
>side effect that usually shell scripts not expects setuid
>programs failing for such reasons and have lack of error traping
>at this point. It can leads to unpredictable things in
>shell script execution flow.
>
>
>-- 
>Andrey A. Chernov        : And I rest so composedly,  /Now, in my bed,
>ache@astral.msk.su       : That any beholder  /Might fancy me dead -
>http://dt.demos.su/~ache : Might start at beholding me,  /Thinking me dead.
>RELCOM Team,FreeBSD Team :         E.A.Poe         From "For Annie" 1849

UN*X systems have clasically given you a shotgun powerfull enough
to blow your foot off.  If you are knowledgeable enough to use
LD_NOSTD_PATH, then you should know its effects.  Since it is not
a security problem, I don't think it should be removed (as I said
in other mail on this subject).
--
Justin T. Gibbs
===========================================
  Software Developer - Walnut Creek CDROM
  FreeBSD: Turning PCs into workstations
===========================================