svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

[Andrey Chernov]

On Sun, Jan 15, 2012 at 02:44:35AM -0800, Xin LI wrote:
> Why you need anything if the program needs to run something inside the
> chroot, which means one already have set up a full chroot environment?

1) ftpds usually not allows to run any program by default. Max default set 
usualy is: ls, tar, gzip, zip, compress and date. Nobody of them can reset 
environment and so touch LD_SO_DISABLE. Some external programs can be 
added to the ftpd config, but it is responsibility of admin to add not 
unrar but /bin/sh there, i.e. footshooting.

2) It is interesting question: what other camps implements to prevent the 
problem?

I mean other *BSDs and Linuxes.

a) If they implement nothing, there is possibility that this artificial 
problem exists purely in our @secteam exalted minds, which can't review 
simple patch for >3 years but always are ready for some bit of 
ugly and unneded creativity. In that particular case it is due to 
unwilling to pass responsibility to admin who creates chroot() 
environment.

b) If they implement something, why there are no any mentions of it in 
your list of discussed ideas?

-- 
http://ache.vniz.net/