tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv



On Tue, Oct 23, 2012 at 04:31:52PM +0200, Emmanuel Dreyfus wrote:
 > In that situation, and perhaps in others, it would be nice if the
 > administrator could configure a trusted environement for setUID
 > binaries. We would need a way to feed a colon-separated list of
 > environement variables (example:
 > LD_PRELOAD=/usr/lib/libpthread.so:FOO=bar). I see two way of dealing
 > with it:
 > 1) lookup in /etc/suenv.d/$progname (probably libc based)
 > 2) use sysctl security.suenv.$progname (kernel based)
 > 
 > I like the second one, which is simple to implement and cannot be messed
 > up with incorrect file permissions. I would fix my problem like this:
 > sysctl -w security.suenv.su=LD_PRELOAD=/usr/lib/libpthread.so
 > sysctl -w security.suenv.login=LD_PRELOAD=/usr/lib/libpthread.so
 > 
 > Opinions?

gods please no.

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index