Date: Fri, 26 Sep 2014 14:12:20 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com CC: chet.ramey@...e.edu Subject: Re: CVE-2014-6271: remote code execution through bash On 26/09/14 00:43, Chet Ramey wrote: >> I'm arguing that privilege boundaries should take responsibility for >> their nature as a privilege boundary, and not pass the buck to the >> code that they call into. > > It doesn't help if some process sets ruid = euid and execs bash, > but bash doesn't import functions from the environment if > ruid != euid. Yes, what I'm saying is that in that situation, we should blame the "some process", not bash. It is the "some process" that opted to act as a privilege boundary (by being setuid or whatever), so it should be responsible for taking extra care when it executes non-trivial code (e.g. bash) with its elevated privileges. S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.