[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting environment use for setuid/setgid programs only?

From: Thomas Dickey
Subject: Re: Limiting environment use for setuid/setgid programs only?
Date: Mon, 17 Apr 2023 18:23:35 -0400

On Sat, Apr 15, 2023 at 10:29:38AM +0200, Sven Joachim wrote:
> The ramifications of CVE-2023-29491 can be limited by configuring
> ncurses with --disable-root-environ.  However, this disables all use of
> the ncurses environment variables by the superuser which has the
> potential to break scripts and makefiles.

Revisiting this - what scripts are setting $TERMINFO (or $TERMINFO_DIRS)
that root should pay attention to?

(makefiles don't _need_ environment variables)

These pathnames are addressed by the --disable-root-environ option:


as well as these (not used in Debian):


> Would it be possible to add a new option that only limits environment
> use for setuid/setgid programs, like the --disable-root-access behavior?

It's possible,

But I don't see why root should be more permissive than a setuid program :-)

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]