svn commit: r228843 - head/contrib/telnet/libtelnet
head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen
head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...
Andrey Chernov
ache at FreeBSD.ORG
Thu Dec 29 20:46:44 UTC 2011
On Thu, Dec 29, 2011 at 12:30:23PM -0800, Xin Li wrote:
> >> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin <jhb at freebsd.org>
> > Another route might have been set an env
> > var
I already suggest it as one of possible ways.
> Using an environment variable may be not a good idea since it can be
> easily overridden, and I think if the program runs something inside
> the chroot, the jailed chroot would have more proper setup to avoid
> this type of attack?
In case user (more precisely, ftpd) runs any program which resides in
/incoming/, nothing helps in anycase. In case ftpd runs known programs
from known locations only, it can't be overriden because known program
(say, ls) is not malicious by itself and can be turned malicious only by
loading .so from current directory, which env variable prevents.
--
http://ache.vniz.net/
More information about the freebsd-security
mailing list