Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.netspace.net.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!news.mathworks.com!mvb.saic.com!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: 26 Apr 1997 19:12:01 GMT Organization: Pacifier BBS, Vancouver, Wa. ((360) 693-0325) Lines: 17 Message-ID: <DERAADT.97Apr26131201@zeus.pacifier.com> References: <3356E1CC.299E@softway.com.au> <slrn5ltb2l.br4.tqbf@char-star.rdist.org> <5jo5m4$f9v@web.nmti.com> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org> <5jqtkh$mmo@web.nmti.com> NNTP-Posting-Host: zeus.theos.com In-reply-to: peter@nmti.com's message of 25 Apr 1997 18:37:05 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6765 comp.unix.bsd.misc:3097 comp.security.unix:34053 In article <5jqtkh$mmo@web.nmti.com> peter@nmti.com (Peter da Silva) writes: That's useful, but not good enough. It doesn't protect programs called from a daemon, for example, as in the well known telnetd/login hole, or crontab type attacks, or stuff called from a webserver, ... Any security-conscious program which is going to start a sub-process is required to do a cleanup on it's child's capabilities (environment, uids, gids, grouplist, open files, etc). If it doesn't do that, well, that's the problem. Roughly said, anytime you move to/from higher priviledge you have some cleanup to do. If you don't, you are a sloppy programmer. -- This space not left unintentionally unblank. deraadt@openbsd.org www.OpenBSD.org -- We're fixing security problems so you can sleep at night. (If it wasn't so fascinating I might get some sleep myself...)