Date: Fri, 8 Sep 2000 12:07:18 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: David Pick <D.M.Pick@qmw.ac.uk> Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Warner Losh <imp@village.org>, Kris Kennaway <kris@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.GSO.4.10.10009081156510.7783-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <E13XKrz-00050c-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 8 Sep 2000, David Pick wrote: > A fair list of not-obviously-related environment variables. (Puts > on thinking cap and makes a correlation with packet filter rules.) > It would be *much* safer to adopt a "deny all and only allow a > list of variables that are known to be safe and wanted" approach > rather than a "block the ones we know are unsafe and miss blocking > a few we don't know about". Yes, that is the correct approach. Probably, sudo should maintain a system-wide list of "good"_and_wanted variables, + there might be a per-command list of variables to pass. However, a system facility to keep on the "issetugid" flag for child processes would help us a lot too - the sanity checks made in the libc should be executed too. What about establishing a convention (if there's none till now) to set an environment variable ISSETUGID in a program like sudo, and passing this variable as a warning indicator to all child processes? Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10009081156510.7783-100000>