[1207] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] libc 5.4.7

daemon@ATHENA.MIT.EDU (Alan Cox)
Sat Oct 12 07:41:19 1996

From: alan@lxorguk.ukuu.org.uk (Alan Cox)
To: dholland@eecs.harvard.edu (David Holland)
Date: Wed, 9 Oct 1996 22:57:18 +0100 (BST)
Cc: alan@cymru.net, dholland@eecs.harvard.edu, potato@dsnet.com,
        linux-gcc@vger.rutgers.edu, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610091826.OAA15885@burgundy.eecs.harvard.edu> from "David Holland" at Oct 9, 96 02:26:23 pm

>  > Does this also drop the variables from programs run by a setuid program ?
> No. libc ignores the variables; it does not clear them.

So a setuid app that runs an app with uid set to the euid is still a walking
road accident. (like telnetd running login)

Alan

home help back first fref pref prev next nref lref last post