On Fri, 26 May 2000, Nigel Metheringham wrote:
> Ugh... thats a good point... I wonder if a LD_PRELOAD attack could be
> used against a user supplied non-setuid forward piped program. I know
> a setuid prog won't *honour* these itself, but if its not setuid
> children do you can still subvert someone elses UID from a local
> account.
First point: Programs run by Exim's pipe transport have never passed on
the environment. They have always constructed their own, as documented.
Same is true for queryprogram (it has *no* environment).
Second point: for Exim itself, this worry was part of the original
thinking behind the environment flattening. But now I find all kinds of
things that "need" to be left there. I fear that this is going to be a
different list on different OS, and that less knowledgeable users are
going to find it a real tar pit to understand and fiddle with.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
