Bugtraq mailing list archives
Re: libresolv+ bug
From: Don.Lewis () tsc tdk com (Don Lewis)
Date: Mon, 19 Aug 1996 01:12:08 -0700
On Aug 19, 9:19am, Casper Dik wrote: } Subject: Re: libresolv+ bug [someone wrote] } >The better solution is probably to do things such as ld.so does, and only } >remove the variables if it is a suid or sgid program, although removing } >support for them totally works too :). } Unfortunately, there's a big difference between when ld.so gets called } first and when your routine gets called first. ld.so can have a notion of } whether a program was set-uid, as it is called at program start. } Library functions, on the other hand, are called possibly after a program } may have altered its uids/gids. (E.g., it may have set all its uids to zero) You can't count on ld.so either, because the program may have been statically linked. } You could, of course, bracket all such environment variable use with } seteuid()/setegid() in the library, but that isn't fullproof. Especially since you have to track all these down. --- Truck
Current thread:
- Re: libresolv+ bug Don Lewis (Aug 19)
- <Possible follow-ups>
- Re: libresolv+ bug der Mouse (Aug 19)
- Re: libresolv+ bug Alan Cox (Aug 20)
- Re: libresolv+ bug Thomas Ptacek (Aug 20)
- Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug John Nemeth (Aug 20)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- Re: libresolv+ bug Elliot Lee (Aug 20)
- Re: libresolv+ bug Nick Andrew (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
(Thread continues...)