Date: Fri, 30 Dec 2011 00:46:37 +0400 From: Andrey Chernov <ache@FreeBSD.ORG> To: d@delphij.net Cc: freebsd-security@FreeBSD.ORG, Doug Barton <dougb@FreeBSD.ORG>, John Baldwin <jhb@FreeBSD.ORG> Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... Message-ID: <20111229204637.GB51102@vniz.net> In-Reply-To: <4EFCCDDF.5080602@delphij.net> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> <CAGMYy3t89jcmU6AP4Bsa%2Bv%2BVs%2BK7qm_SaqwA5u==wKrzaqTWBQ@mail.gmail.com> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2011 at 12:30:23PM -0800, Xin Li wrote: > >> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin <jhb@freebsd.org> > > Another route might have been set an env > > var I already suggest it as one of possible ways. > Using an environment variable may be not a good idea since it can be > easily overridden, and I think if the program runs something inside > the chroot, the jailed chroot would have more proper setup to avoid > this type of attack? In case user (more precisely, ftpd) runs any program which resides in=20 /incoming/, nothing helps in anycase. In case ftpd runs known programs=20 =66rom known locations only, it can't be overriden because known program=20 (say, ls) is not malicious by itself and can be turned malicious only by=20 loading .so from current directory, which env variable prevents. --=20 http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111229204637.GB51102>