<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Remove absolute paths from gpg.rc



Derek Martin wrote on 20 Mar 2007 04:51:37 +0100:

> Just for the sake of not being called a cop-out, I will provide one
> published by a renowned and verifiable Unix security expert:
>
>   http://sunsite.uakom.sk/sunworldonline/swol-08-1998/swol-08-security.html
>
> Ooh, what's that you say, Peter?  E-mail applications should not trust
> the user's PATH?  Hmmm...  Convenient that he named that example
> explicitly.

Well, that's not what I understand in reading the page...  it says:

# Specifically, these methods should be applied to the following:
# 
#     * All setuid and setgid programs
#     * ...
#     * Programs that run with input from outside or use information
#       obtained from the environment (for example: mail agents for users,
#       PATH variable for spawning subprocesses) 

What I understand is that he is describing two different situations:

1. MUA deal with information from the outside.

2. Program that spawn process uses information from the environment.

These situations have in common that some data comes from the outside
and could be malicious:

1. A mail can contain some kind of incorrect or unusual data that will
   trigger a buffer overflow in the MUA.

2. The $PATH can be used to trick a setuid program and to gain some
   privileges.

But these scenarios are completely different.  In the case of mutt, the
mail is an untrusted information, but the $PATH is a trusted one.  Mutt
does not have to protect something from the user, it has no more rights
than the user who run it.  The user has no reason to do evil things with
mutt's $PATH, and the data in the mail can't modify the $PATH, so I
don't see why mutt should do anything special with the path.

-- 
Gaëtan LEURENT

Attachment: pgpVV75XgBUtX.pgp
Description: PGP signature