Date: Mon, 21 May 2012 16:55:40 -0400 From: Rich Felker <dalias@...ifal.cx> To: musl@...ts.openwall.com Subject: Re: make -i with linux-pam On Mon, May 21, 2012 at 10:24:47PM +0200, aep wrote: > >-lutil is part of POSIX; in musl it's an empty .a file. I'm not sure > >it would be a good idea to replace libutil with something else, > >because programs using stuff from POSIX that's allowed to need -lutil > >might add -lutil to the link command line. > > How does that work with sysvinit? And a couple of utils are going to > be broken too. hence i was wondering about an approach to get these > working without actually having to have that stone age functionality > in musl itself. As far as I know it's no problem. Are you saying there are programs that rely on having information from utmp/wtmp to do their job (and whose job is valid, unlike things like w/who/finger/etc.)? Keep in mind that utmp is normally writable by gid utmp, so if any sgid-utmp program (e.g. a terminal emulator) has any vuln, you can write arbitrary data to utmp. That means programs which act based on the contents of utmp almost surely convert these nuisance-level vulns to privilege-escalation vulns, so I suspect they were all fixed not to act on utmp a long time ago.. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.