|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Here's another glibc env. var.
From: Chris Evans (chris
ferret.lmh.ox.ac.uk)Date: Fri May 26 2000 - 18:04:32 CDT
- Next message: Alan Cox: "Re: Here's another glibc env. var."
- Previous message: Alan Cox: "Re: Here's another glibc env. var."
- In reply to: Alan Cox: "Re: Here's another glibc env. var."
- Next in thread: Alan Cox: "Re: Here's another glibc env. var."
- Next in thread: haradaobunsha.co.jp: "Re: Here's another glibc env. var."
- Reply: Chris Evans: "Re: Here's another glibc env. var."
- Reply: Alan Cox: "Re: Here's another glibc env. var."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 26 May 2000, Alan Cox wrote:
> > Let me explain an idea I had recently: whenever execve() is called on a
> > s[ug]id binary, the kernel would load and run a specified "wrapper"
>
> Keep the kernel out of it. If you want to do this add yourself an
> ld-sanitize.so and make that your elf loader for such apps. No kernel help
> needed
I think we need a telnetd approach. Upon exec() of privileged program, we
nuke the entire environment apart from a list of accpetable
variables. This code could be in glibc.
This has the benefit that when an insecure new glibc internal
env. var. gets added, we've protected.
Cheers
Chris
- Next message: Alan Cox: "Re: Here's another glibc env. var."
- Previous message: Alan Cox: "Re: Here's another glibc env. var."
- In reply to: Alan Cox: "Re: Here's another glibc env. var."
- Next in thread: Alan Cox: "Re: Here's another glibc env. var."
- Next in thread: haradaobunsha.co.jp: "Re: Here's another glibc env. var."
- Reply: Chris Evans: "Re: Here's another glibc env. var."
- Reply: Alan Cox: "Re: Here's another glibc env. var."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]