Date: Fri, 27 Feb 2004 05:13:53 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: kientzle@acm.org Cc: freebsd-security@freebsd.org Subject: Re: Environment Poisoning and login -p Message-ID: <20040227111353.GA14777@sheol.localdomain> In-Reply-To: <403E7B4D.8030803@kientzle.com> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > Andrey Chernov wrote: > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > >why others not see it first. > > Instead, I've decided to follow Jacques Vidrine's > suggestion of using a whitelist of environment variables > that are "known-safe." Coming in from left field... Will there be some sort of mechanism for an admin to set/modify this list? Runs, ducking, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227111353.GA14777>