Re: exec and EXECSERVERS

[Paul Jarc]

Roland McGrath <roland@gnu.org> wrote:
>> Anyhow, the point is a good one with respect to environment variables,
>> and perhaps we should enable EXECSERVERS with the suggested tweak,
>> that it is off for secure exec and for euid!=ruid.
>
> EXECSERVERS has to be excised from the environment, not just ignored.

If it is ignored both for secure exec and when euid!=ruid already,
then AFAICT, the only remaining problem case (assuming it is not
excised) is a program running in a setuid situation that tries to
sanitize its environment, etc., sets ruid=euid, and then runs another
program.  Such a sanitizer is probably already insecure, even on Unix,
since it cannot in general predict what needs to be sanitized for the
sake of other programs.  (Or if it is secure on Unix, that's probably
because it removes all environment variables it doesn't specifically
recognize, which would include EXECSERVERS.)  I don't think it would
be any more vulnerable on the Hurd.  Are any such programs even known
to exist?  su sets ruid=euid, but only after the user has
authenticated, in which case I think it's ok keep EXECSERVERS.


paul