Date: Sat, 28 Feb 2004 15:54:01 +1300 (NZDT) From: Andrew McNaughton <andrew@scoop.co.nz> To: freebsd-security@freebsd.org Subject: Re: Environment Poisoning and login -p Message-ID: <20040228144701.H18919@a2.scoop.co.nz> In-Reply-To: <20040227112029.GA736@straylight.m.ringlet.net> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <20040227111353.GA14777@sheol.localdomain> <20040227112029.GA736@straylight.m.ringlet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Feb 2004, Peter Pentchev wrote: > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > > > > > Andrey Chernov wrote: > > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > > > >why others not see it first. > > > > > > Instead, I've decided to follow Jacques Vidrine's > > > suggestion of using a whitelist of environment variables > > > that are "known-safe." Sounds sensible for me, but it exagerates the need for a configuration file. In the sudo man page under 'SECURITY NOTES', there's some details of a blacklist approach taken by sudo, dealing with similar issues. Worth looking at while considering the extent of this problem, and because omissions in sudo's blacklist are likely to have been discussed somewhere already. > > Coming in from left field... Will there be some sort of mechanism for > > an admin to set/modify this list? > Surely you are aware of the consequences of s/admin/intruder/? :) > Still, it might be useful indeed. If the intruder already has root, there's not much to lose here. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040228144701.H18919>