Re: suenv

To: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Subject: Re: suenv
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Tue, 23 Oct 2012 22:16:23 +0000

On Tue, Oct 23, 2012 at 04:31:52PM +0200, Emmanuel Dreyfus wrote:
 > In that situation, and perhaps in others, it would be nice if the
 > administrator could configure a trusted environement for setUID
 > binaries. We would need a way to feed a colon-separated list of
 > environement variables (example:
 > LD_PRELOAD=/usr/lib/libpthread.so:FOO=bar). I see two way of dealing
 > with it:
 > 1) lookup in /etc/suenv.d/$progname (probably libc based)
 > 2) use sysctl security.suenv.$progname (kernel based)
 > 
 > I like the second one, which is simple to implement and cannot be messed
 > up with incorrect file permissions. I would fix my problem like this:
 > sysctl -w security.suenv.su=LD_PRELOAD=/usr/lib/libpthread.so
 > sysctl -w security.suenv.login=LD_PRELOAD=/usr/lib/libpthread.so
 > 
 > Opinions?

gods please no.

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- suenv
  - From: Emmanuel Dreyfus

Prev by Date: Re: suenv
Next by Date: Re: Serious WAPL performance problems
Previous by Thread: Re: suenv
Next by Thread: Serious WAPL performance problems
Indexes:

Home | Main Index | Thread Index | Old Index