Environment Poisoning and login -p
D J Hawkey Jr
hawkeyd at visi.com
Fri Feb 27 03:13:55 PST 2004
On Feb 26, at 03:03 PM, Tim Kientzle wrote:
>
> Andrey Chernov wrote:
> >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
> >
> >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH
> >>and LD_PRELOAD from the environment, even if "-p" is specified.
> >
> >Yes! It is what I say from very beginning. It is so obvious that I wonder
> >why others not see it first.
>
> Instead, I've decided to follow Jacques Vidrine's
> suggestion of using a whitelist of environment variables
> that are "known-safe."
Coming in from left field... Will there be some sort of mechanism for
an admin to set/modify this list?
Runs, ducking,
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd at visi.com /\________________/
http://www.visi.com/~hawkeyd/
More information about the freebsd-security
mailing list