From: Daniel B. <da...@no...> - 2001-01-18 12:52:57
|
Martin Atzmueller <ma...@at...> writes: > Yes, I think it would be reasonable. Looking at your sample code > ( SBCL vs. perl) quite effectively confirmed this. > I don't know, if making this incompatible change has some bad effects. > Currently I can't think of any ... From a security standpoint there's an argument for starting new programs with known environment contents rather than "whatever the parent had". If (a) the parent allows its environment to be changed by a user - and in a large Lisp system it's going to be moderately difficult to prove it doesn't (turned *read-eval* off? everywhere?), and (b) the parent program operates with different privileges from whatever the user would usually have (not necessarily 'root'; it could be some kind of persistent process running as 'httpd' or 'nobody', for example), and invokes the child with those same "interesting" privileges, there are all kinds of fun environment variables that can be set to subvert the child's behaviour I'm thinking about things like the telnetd exploit of yesteryear. From memory (I could be wrong) telnetd stripped everything from the enviromnent that it thought might be dangerous (reset PATH, IFS to sane values, etc) but having been written in the days before dynamic loading it didn't know about LD_PRELOAD. And LD_PRELOAD when set by a malicious user can be _very_ dangerous. Emptying the environment won't make it impossible for people to code up systems with these kinds of holes, but will help it not to be the default action. -dan -- http://ww.telent.net/cliki/ - Link farm for free CL-on-Unix resources |