On Sun, 22 Aug 1999, Alan Cox wrote: > The problem with telnetd is that you can pass a terminal name that indicates > 'use a local file'. Now the ncurses library then goes 'ok leading slash > all well and good', Im not suid uid==euid, lets open it as root and read a > few bytes. You can't do much with it - you can rewind the machines tape > drive for example however. Also if your termcap parser has bugs you can > hit those. In other words, the library gets no reliable information about the trustworthiness of the data it works with (terminal name in this particular case). Therefore it cannot reliably restrict its functionality to a smaller and safer set. > It is a very nice example of why saying "lets ignore XYZ variable" is not > security but a quick fix for emergencies. If you don't fix the code it > will get you.. But it is also a quite effective preventive measure (to paraphrase one saying: good programmers write code without bugs, great programmers write code resistant to bugs) and a strong incentive to reduce the amount of set-id code (I am afraid this itself is a very good reason to introduce as many limitation as possible). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:05 PDT