Bugtraq mailing list archives

Re: libresolv+ bug

From: Don.Lewis () tsc tdk com (Don Lewis)
Date: Mon, 19 Aug 1996 01:12:08 -0700


On Aug 19,  9:19am, Casper Dik wrote:
} Subject: Re: libresolv+ bug

  [someone wrote]
} >The better solution is probably to do things such as ld.so does, and only
} >remove the variables if it is a suid or sgid program, although removing
} >support for them totally works too :).

} Unfortunately, there's a big difference between when ld.so gets called
} first and when your routine gets called first. ld.so can have a notion of
} whether a program was set-uid, as it is called at program start.
} Library functions, on the other hand, are called possibly after a program
} may have altered its uids/gids.  (E.g., it may have set all its uids to zero)

You can't count on ld.so either, because the program may have been
statically linked.

} You could, of course, bracket all such environment variable use with
} seteuid()/setegid() in the library, but that isn't fullproof.

Especially since you have to track all these down.

                        ---  Truck

Current thread:

Re: libresolv+ bug Don Lewis (Aug 19)
- <Possible follow-ups>
- Re: libresolv+ bug der Mouse (Aug 19)
  - Re: libresolv+ bug Alan Cox (Aug 20)
  - Re: libresolv+ bug Thomas Ptacek (Aug 20)
    - Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug John Nemeth (Aug 20)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
  - Re: libresolv+ bug Jon Lewis (Aug 20)
    - Re: libresolv+ bug Elliot Lee (Aug 20)
  - Re: libresolv+ bug Nick Andrew (Aug 20)
    - Re: libresolv+ bug Jon Lewis (Aug 20)

(Thread continues...)