Date: Fri, 27 Feb 2004 01:51:49 +0300 From: Andrey Chernov <ache@nagual.pp.ru> To: kientzle@acm.org Cc: das@FreeBSD.ORG Subject: Re: Environment Poisoning and login -p Message-ID: <20040226225149.GB73252@nagual.pp.ru> In-Reply-To: <403CEF67.5040004@kientzle.com> References: <403CEF67.5040004@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > Possible fix: Ignore "-p" flag if target shell is not > in /etc/shells. In this scenario, a nologin program would > not be listed in /etc/shells, and thus such attacks would > be blocked. Please, no, -p functionality is there for reason. > Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > and LD_PRELOAD from the environment, even if "-p" is specified. Yes! It is what I say from very beginning. It is so obvious that I wonder why others not see it first. > Possible fix: Eliminate the "-p" option to login. No. -- Andrey Chernov | http://ache.pp.ru/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226225149.GB73252>