Date: Mon, 14 Mar 2011 13:14:36 +0100 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Cc: Petr Baudis <pasky@...e.cz> Subject: Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Dan Rosenberg wrote: > There are a few possible options We could patch glibc to try to > raise the rlimit in addmntent(). [...] Citing our glibc maintainer Petr Baudis via Bugzilla: | I have been thinking about it and I'm not at all sure the proposed solution | makes sense. First, this may also concern the obscure interfaces like | putspent() (not sure if anyone uses these, moreover in security relevant | contexts). Second, messing with RLIMIT_FSIZE within library routine is just | evil. The caller may be multi-threaded or just do something else between | setpwent() and endpwent() too and RLIMIT_FSIZE is just evil. All setuid | programs must sanitize things like this, on their own terms. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.