Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 May 2012 16:55:40 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: make -i with linux-pam

On Mon, May 21, 2012 at 10:24:47PM +0200, aep wrote:
> >-lutil is part of POSIX; in musl it's an empty .a file. I'm not sure
> >it would be a good idea to replace libutil with something else,
> >because programs using stuff from POSIX that's allowed to need -lutil
> >might add -lutil to the link command line.
> 
> How does that work with sysvinit? And a couple of utils are going to
> be broken too. hence i was wondering about an approach to get these
> working without actually having to have that stone age functionality
> in musl itself.

As far as I know it's no problem. Are you saying there are programs
that rely on having information from utmp/wtmp to do their job (and
whose job is valid, unlike things like w/who/finger/etc.)?

Keep in mind that utmp is normally writable by gid utmp, so if any
sgid-utmp program (e.g. a terminal emulator) has any vuln, you can
write arbitrary data to utmp. That means programs which act based on
the contents of utmp almost surely convert these nuisance-level vulns
to privilege-escalation vulns, so I suspect they were all fixed not to
act on utmp a long time ago..

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.