Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

From

Andrey Chernov <ache@FreeBSD.ORG>

Date

15 Jan 2012 02:15:14

Subject

Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

Message-ID

20120115021505.GA88927@vniz.net

In reply to

Xin LI (svn-src-head) , Xin LI

References to

Colin Percival (svn-src-head) , Colin Percival, John Baldwin (svn-src-head) , John Baldwin, John Baldwin, John Baldwin (svn-src-head) , Alexander Kabaev, Alexander Kabaev (svn-src-head) , Kostik Belousov, Kostik Belousov (svn-src-head) , Andrey Chernov (svn-src-head) , Andrey Chernov, Xin LI (svn-src-head) , Xin LI

Replies

Xin LI (svn-src-head) , Xin LI

Referenced by

Xin LI (svn-src-head) , Xin LI, Andrey Chernov (svn-src-head) , Andrey Chernov

[ Hide this part ]

On Sat, Dec 24, 2011 at 02:26:20AM -0800, Xin LI wrote:
> chroot(2) can create legitimate and secure environment where dlopen(2)
> is safe and necessary.

It seems it is internal contradiction in your argumentation:
1) You state that chroot(2) can create legitimate environment.
2) For ftpd's you disable .so loading in any case, i.e. even for
legitimate environment too and you want to do so intentionally refusing
passing responsibility to chroot(2) environment creator.

In that situation the only suggestion of something like public interface
is setting enviroment variable like "LD_SO_DISABLE" which prevents .so
loading in libc.

This is more clear than your stopgap.

And please don't say that enviroment variable can be overwritten by the
user inside ftpd itself, it is not so. And for case when some ftpd allows
to call _any_ external program, it could do anything, like with your
stopgap too.

--
http://ache.vniz.net/