[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz () debian ! org>
Date: 2003-08-11 16:25:37
[Download RAW message or body]
On Mon, Aug 11, 2003 at 05:03:02PM +0200, Goswin von Brederlow wrote:
> Matt Zimmerman <mdz@debian.org> writes:
> > The only barrier I see is that it would clean the environment variables.
> > Yes, this is a popular attack vector, but it is by no means the only one.
>
> The wrapper couldbe setuid root and drop to game.
>
> But I rather have some game exploits than a root exploit due to a
> buggy wrapper.
This doesn't sound _entirely_ unreasonable. The wrapper would be simple
enough that one could have a high degree of confidence in its security.
However, it does obfuscate the process, making it difficult to see how it
works from looking at the filesystem.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic