Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: simple tpe implementation
From: Travis H. (travis+ml-tech-security-netbsdsubspacefield.org)
Date: Tue Feb 27 2007 - 02:09:00 CST
On Fri, Feb 02, 2007 at 06:54:59PM +0100, Quentin Garnier wrote:
> I've already notified elad about that, but in case anyone would start
> using it, that implementation of TPE is actually too simple to prevent
> execution of user-supplied code.
A while back I was considering a change to the shell that would allow
you to specify a userlist that you trusted, and to ignore any programs
in your path that could be modified by anyone else. This was back when
there was still a "bin" user, and such. Anyway, to be thorough you
need to check the parents of each of the directories (all the way up to
the root) for writability, among other things.
Good code works. Great code can't fail. -><-
For a good time on my UBE blacklist, email johnsubspacefield.org.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (OpenBSD)
-----END PGP SIGNATURE-----