Date: Thu, 7 Sep 2000 15:20:08 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: "Todd C. Miller" <Todd.Miller@courtesan.com> Cc: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Warner Losh <imp@village.org>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.BSF.4.21.0009071516460.16976-100000@freefall.freebsd.org> In-Reply-To: <200009072215.e87MFtQ24652@xerxes.courtesan.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Todd C. Miller wrote:
> Sudo already discards the following:
This is taking the wrong approach. You can't hope to guess all of the
"magic" environment variables which have special meaning on all platforms
on which sudo may run and implement parallel restrictions in sudo.
For (a somewhat contrived) example, under Foonix, libc might read a
variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which
works otherwise (for "debugging purposes" or whatever). If sudo doesnt
filter this out, then users who can run 'sudo root safecommand' can also
edit any file on the system.
IMO, sudo (and all other similar "limited privilege" programs) needs to
take a positive filtering approach: disallow all variables by default,
except for those on a defined list of allowed variables for that
application.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009071516460.16976-100000>