Bugtraq mailing list archives

Re: Environment variables (SECURITY: too many new packages)

From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Wed, 1 Jul 1998 10:49:29 +0200


On Wed, 1 Jul 1998, Alan Cox wrote:

Bugtraq readers who haven't been following the Linux security audit
project (from whence most of the Red Hat fixes came - and other vendors
will I assume be issuing identical updates) might like to take a look
at how their own OS handles pointing the following at files only root
can read and running setuid apps. (or setgid usage in some cases such as
Mutt)
        TZ
        TERMINFO
        TERMCAP


Add LANG, all LC_*, and various LD_* (esp. LD_*_OUTPUT) to the list.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."

Current thread:

Re: Environment variables (SECURITY: too many new packages) Pavel Kankovsky (Jul 01)
- <Possible follow-ups>
- Re: Environment variables (SECURITY: too many new packages) Edward John Brocklesby (Jul 01)