From owner-freebsd-security@FreeBSD.ORG  Thu Feb 26 15:04:03 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1503E16A4CE; Thu, 26 Feb 2004 15:04:03 -0800 (PST)
Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net
	[66.166.149.50])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2E5FA43D31; Thu, 26 Feb 2004 15:04:02 -0800 (PST)
	(envelope-from tim@kientzle.com)
Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged))
	by kientzle.com (8.12.9/8.12.9) with ESMTP id i1QN3f7g017367;
	Thu, 26 Feb 2004 15:03:41 -0800 (PST)
	(envelope-from tim@kientzle.com)
Message-ID: <403E7B4D.8030803@kientzle.com>
Date: Thu, 26 Feb 2004 15:03:41 -0800
From: Tim Kientzle <tim@kientzle.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Andrey Chernov <ache@nagual.pp.ru>
References: <403CEF67.5040004@kientzle.com>
	<20040226225149.GB73252@nagual.pp.ru>
In-Reply-To: <20040226225149.GB73252@nagual.pp.ru>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 27 Feb 2004 03:04:53 -0800
cc: freebsd-security@FreeBSD.ORG
cc: das@FreeBSD.ORG
cc: kientzle@acm.org
Subject: Re: Environment Poisoning and login -p
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: kientzle@acm.org
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2004 23:04:03 -0000

Andrey Chernov wrote:
> On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
> 
>>Possible fix:  Have login unconditionally discard LD_LIBRARY_PATH
>>and LD_PRELOAD from the environment, even if "-p" is specified.
> 
> Yes! It is what I say from very beginning. It is so obvious that I wonder 
> why others not see it first.

It is obvious, it's just not very safe.  In general,
blacklist approaches are pretty poor; it's
hard to make sure you've caught everything
and future changes to other parts of the system
can easily open new problems.

Instead, I've decided to follow Jacques Vidrine's
suggestion of using a whitelist of environment variables
that are "known-safe."

Tim Kientzle