Date: Tue, 11 Aug 1998 16:42:56 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <Pine.GSO.4.00.9808111641360.19881-100000@redfish> In-Reply-To: <199808112338.TAA14075@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Aug 1998, Garrett Wollman wrote: > <<On Tue, 11 Aug 1998 13:44:12 -0700 (PDT), Marc Slemko <marcs@znep.com> said: > > > Naw, that is worse since you can just use ps to grab it; the reason it is > > worse is because it tends to lead to people leaving it set when they > > aren't actually using the program. > > I think there are good reasons (and this is one of them) to disable > the environment-dumping option of ps. Unfortunately it is probably > too well-entrenched to kill. I had totally forgotten about it until > this discussion began. It is a useful option. I routinely use it to exploit security holes. <g> I also do use it sometimes for debugging. What may be worth considering is doing what Linux (and perhaps others...) do; ie. not allowing you to see the environment of other UIDs, just of your own processes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.00.9808111641360.19881-100000>