Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: davids () WEBMASTER COM (David Schwartz)
Date: Thu, 9 Jul 1998 15:57:18 -0400
And of course your comment is inconsistent with LD_PRELOAD handling on every OS so far - ld.so is a shared object too. Alan
The ld.so library is specifically intended to be callable by suid/sgid processes and callers can reasonably expect that the library would be safe. On the other hand, 'user' libraries should not be assumed to be safe under any circumstances. Programs not designed to be suid/sgid should not operate if they find themselves suid/sgid (and should make this check as early as practical). Programs designed to be suid/sgid should not call libraries not known to be safe without dropping privileges. And, of course, use of contructors not known to be safe in suid/sgid programs should be strongly discouraged. Pointers should be used instead and the objects created only after the environment is known to be safe. In my opinion, authors of programs that are designed to be suid/sgid should do anything that they don't reasonably know to be safe without first ensuring a sane (and unprivileged) environment. The fault is in the programs, not the libraries. David Schwartz
Current thread:
- Re: ncurses 4.1 security bug, (continued)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 07)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 08)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Warner Losh (Jul 09)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- Re: ncurses 4.1 security bug matthew green (Jul 10)
- Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
- Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
- Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Perry E. Metzger (Jul 07)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- sshd gives out version number Tom Dyas (Jul 09)
- Re: Forwared to me Solar Designer (Jul 09)
- Remote count.cgi exploit mods _ _ (Jul 09)
- Re: Remote count.cgi exploit mods Gus (Jul 11)