Bugtraq mailing list archives
Re: libresolv+ bug
From: zblaxell () myrus com (Zygo Blaxell)
Date: Wed, 21 Aug 1996 14:31:24 -0400
In article <199608190902.FAA32500 () matisse its rpi edu>, Steve Czetty <BUGTRAQ () NETSPACE ORG> wrote:
In response to the libresolv+ hole ... I'm sure there's a better/more encompassing/cleaner method of fixing it, but here's my patch for ping (IYes.. I (once again) patched my libc to ignore the environment variable altogether.. Why do we need to have the ability to specify an /etc/host.conf other than /etc/host.conf???
You need to be able to specify another /etc/host.conf when it's wrong, when /etc/host.conf itself is a security problem, when it's misconfigured, when the servers listed therein are down, when you're testing changes to /etc/host.conf, and when the sysadmin is vacationing on a continent with poor cellular phone connectivity. My question is: why are setuid programs doing really stupid things with the contents of this file? Given that DNS is as insecure or even more insecure than anything else that comes into a host from its network interface, why shouldn't the DNS access library be generally paranoid? One good trick would be to have the library produce minimal diagnostics when the binary is setuid (e.g. "parse error" instead of "parse error: what_could_not_be_parsed"). -- Zygo Blaxell. Unix/soft/hardware guru, was for U of Waterloo CS Club, now for (name withheld by request). 10th place, ACM Intl Collegiate Programming Contest Finals, 1994. Admin Linux/TCP/IP for food, clothing, anime. Pager: 1 (613) 760 8572. "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong
Current thread:
- Re: libresolv+ bug, (continued)
- Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug John Nemeth (Aug 20)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- Re: libresolv+ bug Elliot Lee (Aug 20)
- Re: libresolv+ bug Nick Andrew (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- SigSev -> Security Hole Tim Smithers (Aug 20)
- Re: SigSev -> Security Hole Brian Mitchell (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- Re: libresolv+ bug Don Lewis (Aug 20)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
- Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug Thomas Ptacek (Aug 21)
- Re: libresolv+ bug Nick Andrew (Aug 22)
- Re: libresolv+ bug John Macdonald (Aug 22)
- Re: libresolv+ bug David Holland (Aug 22)
- Re: libresolv+ bug Zygo Blaxell (Aug 22)
- Re: libresolv+ bug Mikolaj J. Habryn (Aug 23)