Date: Fri, 27 Feb 2004 05:13:53 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: kientzle@acm.org Cc: freebsd-security@freebsd.org Subject: Re: Environment Poisoning and login -p Message-ID: <20040227111353.GA14777@sheol.localdomain> In-Reply-To: <403E7B4D.8030803@kientzle.com> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 26, at 03:03 PM, Tim Kientzle wrote:
>
> Andrey Chernov wrote:
> >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
> >
> >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH
> >>and LD_PRELOAD from the environment, even if "-p" is specified.
> >
> >Yes! It is what I say from very beginning. It is so obvious that I wonder
> >why others not see it first.
>
> Instead, I've decided to follow Jacques Vidrine's
> suggestion of using a whitelist of environment variables
> that are "known-safe."
Coming in from left field... Will there be some sort of mechanism for
an admin to set/modify this list?
Runs, ducking,
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227111353.GA14777>