From owner-freebsd-security Fri Sep 8 3: 7:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 3666E37B422; Fri, 8 Sep 2000 03:07:43 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id MAA08566; Fri, 8 Sep 2000 12:07:18 +0200 (MET DST) Date: Fri, 8 Sep 2000 12:07:18 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: David Pick Cc: "Todd C. Miller" , "Andrey A. Chernov" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, David Pick wrote: > A fair list of not-obviously-related environment variables. (Puts > on thinking cap and makes a correlation with packet filter rules.) > It would be *much* safer to adopt a "deny all and only allow a > list of variables that are known to be safe and wanted" approach > rather than a "block the ones we know are unsafe and miss blocking > a few we don't know about". Yes, that is the correct approach. Probably, sudo should maintain a system-wide list of "good"_and_wanted variables, + there might be a per-command list of variables to pass. However, a system facility to keep on the "issetugid" flag for child processes would help us a lot too - the sanity checks made in the libc should be executed too. What about establishing a convention (if there's none till now) to set an environment variable ISSETUGID in a program like sudo, and passing this variable as a warning indicator to all child processes? Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message