The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Environment variables (SECURITY: too many new packages)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 1 Jul 1998 00:42:10 +2500
From: Alan Cox <[email protected]>
To: [email protected]
Subject: Environment variables (SECURITY: too many new packages)

Bugtraq readers who haven't been following the Linux security audit
project (from whence most of the Red Hat fixes came - and other vendors
will I assume be issuing identical updates) might like to take a look
at how their own OS handles pointing the following at files only root
can read and running setuid apps. (or setgid usage in some cases such as
Mutt)
        TZ
        TERMINFO
        TERMCAP

There are lots of files which when read do 'interesting' things, and termcap
in paticular is fun because it tends to read the entire floppy/tape/memory
etc before it gives up.

This raises another related question. Has anyone ever tried to build the
complete list of environment influenced file opens in not just libc but
all the supporting libraries in unix systems ?


A PS item btw: 2.0.35pre3 fixes the bug reported with SIGIO, and it should
be out as 2.0.35 proper RSN - 2.0.35pre3 is a release candidate. We hadn't
planned on a 2.0.35 release quite that soon but such is life.

Alan

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру