[EMAIL PROTECTED] (Thomas Bushnell, BSG) wrote: > Well, a setuid exec itself should disable EXECSERVERS. But the > environment variable might still get inherited, and seven layers of > fork/exec later, do something nasty. So that means that setuid exec > should in fact clear EXECSERVERS in the passed environment. > > That's a nasty wart, however, having the *exec server* go mucking > around with environment variables.
I don't know this Hurd stuff very well (or at all, nearly), but in Unix terms, I'd say whatever code sets uid=euid (if any) in a setuid situation should take responsibility for clearing dangerous environment variables (or any other attributes of the process state inherited from the pre-setuid situation). As long as uid!=euid, dangerous environment variables can be safely preserved but ignored. Does the exec server set uid=euid? (Or is that not meaningful in the Hurd?) The counterargument is that doing things this way requires more careful programming, and clearing dangerous environment variables sooner means that buggy code will be merely buggy and not vulnerable. paul _______________________________________________ Bug-hurd mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-hurd
