Larry Rosenman writes:
> Universal Practice does NOT equal Security and Usability.
> Please consider what Kean is saying here.
What Kean is saying is that your system is insecure if you have a setuid
executable that references shared libraries with nonabsolute sonames and
you have a system (an "older system") that contains a particular bug in
its run-time dynamic loader that it obeys LD_LIBRARY_PATH for setuid
executables. That is fairly common knowledge, and that's why
LD_LIBRARY_PATH is ignored for setuid executables on all properly
functioning operating systems.
If your system is broken in that particular way, upgrade your system or
don't use setuid programs at all. Those are the only sane choices. It is
not an acceptable choice to disable all valid uses of nonabsolute sonames
for all users, just because some users are running on broken systems with
obvious security flaws.
Peter Eisentraut peter_e(at)gmx(dot)net
In response to
pgsql-patches by date
|Next:||From: Andrew Dunstan||Date: 2003-07-25 08:28:55|
|Subject: Re: PG Patch (fwd) [openserver patch followup #2]|
|Previous:||From: Bruce Momjian||Date: 2003-07-25 04:47:34|
|Subject: Re: UPDATED Patch for adding DATACUBE operator|