Charles M. Hannum wrote:
> * In the particular case of ftpd, if you've logged in as a user other
> than root, then your saved, real, and effective uids do not match, so
> the previous check we used to use (ruid != svuid || ruid != euid)
> would catch this.  So, unless you're logged in as root, you'd be hard
> pressed to get ftpd to core dump.

(except on 1.1, when it's easy)

> * Do you prevent core dumps if you've ever had any tainted data, or do
> you attempt to decide when you no longer have any?
> 
> * If the latter, how?  Always zero buffers (including partial zeroing
> of stdio buffers as you read from them!), create new interfaces to the
> libraries to inform them which data is secure, etc?  Garbage
> collection?  B-)

In the case of ftpd, at least, I think that it should be split
into two programs. The front-end program would accept the
connection, ask for the user-name and password, setuid and
chroot as necessary and then exec another program which would
handle the data transfers. This probably isn't a trivial
change though ;-). It's something to bear in mind when writing
future programs though. (cf 'login')

Cheers


Jon
____
\  //    Jon Ribbens    //
 \// jon@oaktree.co.uk //