Date: Tue, 10 Jul 2012 15:58:46 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: libdbus hardening On 07/10/2012 03:43 PM, Solar Designer wrote: > On Tue, Jul 10, 2012 at 03:13:55PM +0200, Florian Weimer wrote: >> Perhaps we can put a getenv_secure() into libc, which will perform all >> the appropriate checks (including future checks we do not know about >> yet)? Duplicating the code in many libraries does not seem prudent. > > We already have __secure_getenv() in glibc, which I think is what > libraries like this should be using on systems with glibc. Sebastian's patches also include a check on prctl(PR_GET_DUMPABLE). I'm not sure if the libc approach (compare effective and real UIDs/GIDs on process start and base process environment trust decisions on that) is equivalent. -- Florian Weimer / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.