OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Here's another glibc env. var.
From: Solar Designer (solarfalse.com)
Date: Thu May 25 2000 - 03:53:42 CDT

>
> > There's a lot of it about. And ignoring LC_ for setuid apps is not an option
> > if you wish to travel abroad and live.
>
> My patch disabling LC_* stuff made it to the official libc5 (I think it
> was the last release, 5.4.46), and I have travelled abroad and stayed
> alive since then! :)

And I had to patch against 5.4.38 instead in order to be able to use
elm where it needed SGID mail.

I believe at least LC_CTYPE should be supported for SUID/SGID (LANG
and LC_ALL should probably be limited to the functionality of
LC_CTYPE if SUID/SGID), but restricted to not allow known control
characters. The implementation should also be re-audited to make
sure the file accesses are safe.

While we're on the topic, the ru_RU.KOI8-R locale in glibc 2.1.3
thinks '\x80' through '\x9f' are printable characters.

> (In fact, it is probably a good thing to motivate people to avoid putting
> user-friendly junk into setuid programs...)

Perhaps there should also be an option to disable this, but it would
have to be read from a file or such, which has a performance impact.
Any suggestions?

Signed,
Solar Designer