On Fri, Apr 26, 2019 at 11:46:17PM -0600, Theo de Raadt wrote:
> Igor Podlesny <[email protected]> wrote:
>
> > On Sat, 27 Apr 2019 at 12:37, Anthony J. Bentley <[email protected]> wrote:
> > >
> > > You didn't check the manpage.
> >
> > you didn't think it over.
> > https://www.mail-archive.com/[email protected]/msg167012.html
>
> No, you didn't think it through at all.
>
> You are expecting the malloc settings to provide security gaurantees.
> They do not. They detect corruption. That is not the same as
> a security gaurantee.
>
> Then you wish to use this inside a chroot jail, and make it tighter.
>
> Fine.
>
> Next you argue but what if the program inside the jail adjusts
> it's environment. Well then all bets are off. Why would that
> program modify it's environment variable only, rather than just
> doing anything else it wants to do?
>
> Why would it restrict itself to adjusting this specific environment
> variable only, and why would you consider that to impact security?
>
>
> The malloc configuration was moved to a sysctl to make it compatible
> with pledge+unveil. It has tightened the security in many programs.
>
> The change has weakened security in your configurations because
> you designed them wrong.
Additionally, in many cases using a symlink has unclear effects, since
it is hard to determine if the first malloc call (malloc inits itself
on first use) happens before of after the chroot call. I would argue
that in many cases people were thinking they had per-chroot settings,
while actually they had not.
-Otto
>
> Finally Igor you are being a jerk. Cut it out.
>
