[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] libdbus hardening
From: Ludwig Nussel <ludwig.nussel () suse ! de>
Date: 2012-07-30 9:52:21
Message-ID: 50165955.3020401 () suse ! de
[Download RAW message or body]
Florian Weimer wrote:
> On 07/30/2012 10:59 AM, Ludwig Nussel wrote:
>> Florian Weimer wrote:
>>> On 07/17/2012 12:08 PM, Florian Weimer wrote:
>>>
>>>> Note that GNU libc will likely change the name to secure_getenv.
>>>> Upstream does not want to document __secure_getenv as-is.
>>>
>>> This will be part of glibc 2.17. autoconf instructions are available here:
>>>
>>> <http://sourceware.org/glibc/wiki/Tips_and_Tricks/secure_getenv>
>>
>> Now the next step would be to make glibc automatically use secure_getenv
>> when running setuid root and require programs to explicitly call
>> insecure_getenv() or something like that :-)
>
> You're welcome to absorb the transition costs. 8-) I looked into this
> briefly, and the potentially insecure getenv calls are not in the
> majority, so we'd have to expect quite a bit of breakage, or at least
> add a configurable whitelist of variable names in a file in /etc.
Potential breakage would only occur in setuid programs that actually use
getenv for valid purposes though. I wonder how many of those actually
exist.
> FWIW, I consider PAM and NSS (Name Service Switch) the major problem
> areas, too. Do you know if the APIs would allow confining plug-ins to
> subprocesses? Then we only have to solve the transparent child
> process problem.
No idea. I'd probably rather implement the setuid binary itself as
client/server program and get rid of setuid in the first place instead
of trying to play tricks in PAM though.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic