From: Travis H. (travis+ml-tech-security-netbsdsubspacefield.org)
Date: Tue Feb 27 2007 - 02:09:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 02, 2007 at 06:54:59PM +0100, Quentin Garnier wrote:
> I've already notified elad about that, but in case anyone would start
> using it, that implementation of TPE is actually too simple to prevent
> execution of user-supplied code.

A while back I was considering a change to the shell that would allow
you to specify a userlist that you trusted, and to ignore any programs
in your path that could be modified by anyone else. This was back when
there was still a "bin" user, and such. Anyway, to be thorough you
need to check the parents of each of the directories (all the way up to
the root) for writability, among other things.

--
Good code works. Great code can't fail. -><-
<URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email johnsubspacefield.org.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)

iQIVAwUBRePnHGQVZZEDJt9HAQI1SA/+KX8Nsc0bSBPX9mjCDOR9n7QjTgr6wWo1
ueJrWA3p+LdC+sp+0xegAToINFG7/3EmOtmk0TLx3pffpC7Me6EWb5QngDlq3KF8
EB1XPuH3AfVrPTDGsKs9b5vHRkJHH40Wdx8Tl8/zLT1j76Mt0eDo+mUtyI/6d1RG
suCW5ctye+pG3VHWrrCXuHkYH/daRoxFy8f2MDOiPveBU1K2+vYuert9qZVuHT5g
GfY/mNPhKFM69s9Xd5S7kWeB3acUpL6jXs+t4CU3R+ridhxBQWvG6pXes9KoFzN2
Kphy3bDu9CYZhyxWpkVBIxnNlEyEFGNWJQOmcO0oK7ZdcAJ4Oi8pyiwG8uNHv8pf
Gl3fifkkBRB3M5hZ8oKPh5+xfi4FDq4H8Z7Yr9JUD1I4h6TpO5+ZbO4o+45y+yon
m2uwj/8eBjvLMkEVGvKxe7c0mQ3gR3WLWWNFjSJ8PHN90HNvHWKa2GZk1ToDTSuM
MTrYy0m7d5Au9HNdssG17myDo0XUPBJxfUIzdkTKE92FiFsr+zQOiEOPfcISTaSB
cCbYlOdMAHGvDOxBYmZiVA/aUhKbeJL0FRuOGHFglWkefxdQW4KTuPKASGB0b5Gk
m5BVgu4Y83CO4SeuwxJPnyPjb/zjLelahB46iV26dfZTft6BxUgsXM3jSxQvTlzb
Bu7MQkAI9Rw=
=oFBe
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]