Date: Fri, 27 Feb 2004 13:20:30 +0200 From: Peter Pentchev <roam@ringlet.net> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p Message-ID: <20040227112029.GA736@straylight.m.ringlet.net> In-Reply-To: <20040227111353.GA14777@sheol.localdomain> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
--/04w6evG8XlLl3ft Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > >=20 > > Andrey Chernov wrote: > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > >Yes! It is what I say from very beginning. It is so obvious that I won= der=20 > > >why others not see it first. > >=20 > > Instead, I've decided to follow Jacques Vidrine's > > suggestion of using a whitelist of environment variables > > that are "known-safe." >=20 > Coming in from left field... Will there be some sort of mechanism for > an admin to set/modify this list? >=20 > Runs, ducking, > Dave Surely you are aware of the consequences of s/admin/intruder/? :) Still, it might be useful indeed. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAPyf97Ri2jRYZRVMRAmC/AJsFmED0ilHN3BdGxjzmNPFg4YduiwCeK+mr xfQvtdygC9SY2Qoy+WdxMJ8= =3QTg -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227112029.GA736>