Re: [PATCH] Fix system() behaviour when parameter is NULL

To: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Subject: Re: [PATCH] Fix system() behaviour when parameter is NULL
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Fri, 29 Aug 2008 05:51:31 +0000

On Thu, Aug 28, 2008 at 03:32:20PM -0400, Steven M. Bellovin wrote:
 > > Yes.  However, is it the right one here?  If system()'s caller is
 > > set-id, I'm not convinced it will give the answer we want if the ruid
 > > and euid have different access rights on _PATH_BSHELL.
 > 
 > A different question entirely, and you may be right -- I was simply
 > answer the question about whether access() is a security hole per se.

If someone calls system() while setugid, they deserve the
consequences, so I don't think it matters.

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- [PATCH] Fix system() behaviour when parameter is NULL
  - From: Andy Shevchenko
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: mouss
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: Steven M. Bellovin
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: der Mouse
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: Steven M. Bellovin

Prev by Date: Re: RCSID/SCCS conditionals
Next by Date: Re: [PATCH] Fix system() behaviour when parameter is NULL
Previous by Thread: Re: [PATCH] Fix system() behaviour when parameter is NULL
Next by Thread: Re: [PATCH] Fix system() behaviour when parameter is NULL
Indexes:

Home | Main Index | Thread Index | Old Index