svn commit: r228843 - head/contrib/telnet/libtelnet
head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen
head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...
Andrey Chernov
ache at FreeBSD.ORG
Thu Dec 29 19:42:39 UTC 2011
On Thu, Dec 29, 2011 at 11:15:44AM -0800, Xin Li wrote:
> Would you please elaborate how this would be less ugly (e.g. with a
> patch)?
Why doing a patch if you apparently don't care? )
In few words, it less ugly because it 1) will be public API, 2) will
restrict all possibe future dlopen() usage (f.e. someday tar, which used
in some ftpds, can use dlopen() to load its formats etc.)
> We discussed a change like this but IIRC it was rejected because the
> affected surface is too broad and we wanted to limit it to just the
> implicit dlopen()s to avoid breaking legitimate applications.
Instead of total disabling we can (by calling rtld function) restrict
dlopen() in ftpd() to absolute path of know safe directories list like
"/etc" "/lib" "/usr/lib" etc.
--
http://ache.vniz.net/
More information about the freebsd-security
mailing list