Date: Tue, 5 Aug 1997 09:16:33 +0200 From: j@uriah.heep.sax.de (J Wunsch) To: jseng@pobox.org.sg (James Seng) Cc: marcs@znep.com (Marc Slemko), freebsd@atipa.com (Atipa), jonz@netrail.net (Jonathan A. Zdziarski), ports@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: SetUID Message-ID: <19970805091633.IM60027@uriah.heep.sax.de> In-Reply-To: <3.0.32.19970805161419.00a65b08@student.anu.edu.au>; from James Seng on Aug 5, 1997 16:14:28 %2B1000 References: <3.0.32.19970805161419.00a65b08@student.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
As James Seng wrote: > In other words, the shell script #!/bin/sh would not be suspetible to ENV > parsing problem but the wrapper will. The easilest (and oldest) exploited > would probably be using IFS on the posted wrapper program *8) No. Our shell doesn't import IFS. > Look at wrapper which comes with sendmail if you really want something > which is more secure. This advise is still valid, of course. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970805091633.IM60027>