Environment Poisoning and login -p
Peter Pentchev
roam at ringlet.net
Fri Feb 27 03:20:21 PST 2004
On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote:
> On Feb 26, at 03:03 PM, Tim Kientzle wrote:
> >
> > Andrey Chernov wrote:
> > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote:
> > >
> > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH
> > >>and LD_PRELOAD from the environment, even if "-p" is specified.
> > >
> > >Yes! It is what I say from very beginning. It is so obvious that I wonder
> > >why others not see it first.
> >
> > Instead, I've decided to follow Jacques Vidrine's
> > suggestion of using a whitelist of environment variables
> > that are "known-safe."
>
> Coming in from left field... Will there be some sort of mechanism for
> an admin to set/modify this list?
>
> Runs, ducking,
> Dave
Surely you are aware of the consequences of s/admin/intruder/? :)
Still, it might be useful indeed.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Hey, out there - is it *you* reading me, or is it someone else?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040227/c65ca0c3/attachment.bin
More information about the freebsd-security
mailing list