Re: Re: [xml] security issue.



Hi,

 The problem of the environment variables of an user being visible to the
other users, without the user having to hack into the environment still
exists in Solaris. The /usr/ucb/ps command helps here.

 Executing "/usr/ucb/ps uxgaeww" lists out all the environment variables
and their values used by all the users currently logged in to the system,
including root's.

This /usr/ucb/ps call is present for compatibility with BSD.

 So, now as we can see the env through the /usr/ucb/ps command, the
FTP username and password of a user is visible to all. Isn't this an issue ?

Regards,
 Laavanya


----- Original Message -----
From: "Daniel Veillard" <veillard redhat com>
To: "Anju Premachandran" <anju premachandran wipro com>
Cc: <aleksey aleksey org>; <xml gnome org>
Sent: Wednesday, June 26, 2002 7:11 PM
Subject: Re: [xml] security issue.

On Tue, Jun 25, 2002 at 04:09:00PM +0530, Anju Premachandran wrote:
Hi Aleksey

How did your security audit go?Did u find any new issues?

Regarding  the environment variables for HTTP/FTP access;as u said if a
bad guy can change the environment variables it can turn out to be a
concern.

  If an attacker can change your environment variables, you're toasted
just think about LD_PRELOAD . Conclusion, I don't think any special
security concern must be had associated to an environment variable value.

  I will appreciate opposite viewpoint if explained ;-)

Daniel

--
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]