[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [MiNT] getenv() and security
"Guido Flohr" <gufl0000@stud.uni-sb.de> writes:
|> Hi,
|>
|> the GNU libc disables most library-internal usage of the environment if a
|> process was started with the suid/sgid bit set on, when real and effective
|> user/group id differ. Does anybody know what is unsafe for suid programs
|> to do for example getenv ("HOME") or getenv ("TMPDIR")?
A suid *program* can do whatever it wants, as long as it behaves properly.
But the libc should never implicitly depend on user settable parameters
when starting up in privileged mode. Look up tainting in the perl manual.
Andreas.
--
Andreas Schwab "And now for something
schwab@issan.cs.uni-dortmund.de completely different"
schwab@gnu.org