Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Feb 2004 05:30:37 -0600
From:      D J Hawkey Jr <hawkeyd@visi.com>
To:        D J Hawkey Jr <hawkeyd@visi.com>, kientzle@acm.org, Andrey Chernov <ache@nagual.pp.ru>, das@freebsd.org, freebsd-security@freebsd.org
Subject:   Re: Environment Poisoning and login -p
Message-ID:  <20040227113037.GA14849@sheol.localdomain>
In-Reply-To: <20040227112029.GA736@straylight.m.ringlet.net>
References:  <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> <20040227112029.GA736@straylight.m.ringlet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Feb 27, at 01:20 PM, Peter Pentchev wrote:
> 
> On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote:
> > On Feb 26, at 03:03 PM, Tim Kientzle wrote:
> > > 
> > > Andrey Chernov wrote:
> > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
> > > >
> > > >>Possible fix:  Have login unconditionally discard LD_LIBRARY_PATH
> > > >>and LD_PRELOAD from the environment, even if "-p" is specified.
> > > >
> > > >Yes! It is what I say from very beginning. It is so obvious that I wonder 
> > > >why others not see it first.
> > > 
> > > Instead, I've decided to follow Jacques Vidrine's
> > > suggestion of using a whitelist of environment variables
> > > that are "known-safe."
> > 
> > Coming in from left field... Will there be some sort of mechanism for
> > an admin to set/modify this list?
> 
> Surely you are aware of the consequences of s/admin/intruder/? :)
> Still, it might be useful indeed.

Of course I do; it would have to be a "secure" mechanism (and more
flexible than recompiling the utility). But OTOH, how can the developers
foresee all the possibilities of all the deployed systems Out There(tm)?

Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227113037.GA14849>