OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [RFC] environment sanitisation wrapper
From: Cooper (CooperLinuxfan.com)
Date: Mon May 29 2000 - 14:53:04 CDT

Sean Hunter wrote:
>
> For example, I am an active developer, and so am using some
> debugging/profiling libraries and glibc's malloc debugging options. I
> am also on support. I get a call saying that apache has tanked, so I
> restart it using "sudo /etc/rc.d/init.d/httpd start", or some such.
> The webserver is now running with my LD_PRELOAD and my malloc
> debugging env vars, but with root permissions. Nice.
>
> Thus a trusted user may unwittingly compromise the security of
> programs they run using sudo. That's not a very pretty picture.
>
> My alias gets around this by seemlessly setting up a sane environment
> for the binary to be run as root. This means that it automagically
> helps my trusted users to run things safely using "sudo". Sure its
> just an alias. My trusted users could easily disable it and
> deliberately run binaries in a compromised fashion. But that would be
> deliberately dumb. I don't have that problem here (my trusted users
> aren't deliberately dumb), otherwise I would have to patch sudo or not
> trust that user.

K. Makes sense to me. Thanks for the explanation.

Cooper 

-- 
If you can read this you're probably not dead yet.
	- Johnny The Homicidal Maniac 7 -