Date: Fri, 27 Feb 2004 13:20:30 +0200 From: Peter Pentchev <roam@ringlet.net> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p Message-ID: <20040227112029.GA736@straylight.m.ringlet.net> In-Reply-To: <20040227111353.GA14777@sheol.localdomain> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > > > Andrey Chernov wrote: > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > > >why others not see it first. > > > > Instead, I've decided to follow Jacques Vidrine's > > suggestion of using a whitelist of environment variables > > that are "known-safe." > > Coming in from left field... Will there be some sort of mechanism for > an admin to set/modify this list? > > Runs, ducking, > Dave Surely you are aware of the consequences of s/admin/intruder/? :) Still, it might be useful indeed. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAPyf97Ri2jRYZRVMRAmC/AJsFmED0ilHN3BdGxjzmNPFg4YduiwCeK+mr xfQvtdygC9SY2Qoy+WdxMJ8= =3QTg -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227112029.GA736>