On Wed, 06 Feb 2002 18:38:15 PST, Huagang Xie <xieat_private> said: > What I want is to check the "envp" ( the envp passed to the > sys_execve()).. current hook in do_execve() do not give me this envp, (Hmm.. checking caffeine levels first.. ;) I'm assuming that the goal here is to scan the environment being passed, and do something if you find something odd (for instance, LD_PRELOAD being set for a set[ug]id binary)? If so, are there any environment variables that a security module should be scanning for, rather than the application handling it itself? Yes, I know there *was* an LD_PRELOAD issue - but that got fixed where it should be fixed. And in the general case, pre-filtering for sanity is probably a lost cause - I've seen programs borked because one of the LC_* locale environments was motified. On the other hand, I've personally used (admittedly ugly) code like 'TZ=EST29EDT date +%m%d' to get yesterday's date.... Now, I *could* see the utility of using this as a "filter for a recently discovered envp[] based exploit until a proper patch is available", but are there other uses forseen? I'm not saying it's a bad idea, I'm trying to make sure I understand what Huagang sees it as doing.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 07:51:33 PST