Josselin Mouette writes:
> I think Steve has a point, and as he explains, this is not a big
> security issue; however it is breaking the expectations you have when
> logging as another user. For example, it is not expected that starting
> an application as the other user will re-use the running o
On Sat Jan 24 14:08, Josselin Mouette wrote:
> Le samedi 24 janvier 2009 à 10:05 +, Matthew Johnson a écrit :
> > Well, if they are using DBUS this should be fine. You cannot connect to
> > a session bus with a uid other than the one it is running as (including
> > root)
>
> Clearly that’s not
Le samedi 24 janvier 2009 à 10:05 +, Matthew Johnson a écrit :
> Well, if they are using DBUS this should be fine. You cannot connect to
> a session bus with a uid other than the one it is running as (including
> root)
Clearly that’s not the case, since the original issue happens over
D-Bus. I
On Sat, 2009-01-24 at 11:07 +0100, Josselin Mouette wrote:
> The question is whether we can consider safe to pass authentication
> tokens as environment variables. Either we do, and we fix applications
> that pass environment where they shouldn’t. Either we don’t, and we have
> to find another way
On Sat Jan 24 11:00, Reinhard Tartler wrote:
> Josselin Mouette writes:
>
> > I think Steve has a point, and as he explains, this is not a big
> > security issue; however it is breaking the expectations you have when
> > logging as another user. For example, it is not expected that starting
> > a
Le samedi 24 janvier 2009 à 11:00 +0100, Reinhard Tartler a écrit :
> Well, then how about gnome-keyring or other applications not expecting
> that behaviour should then check the effective user id in addition to
> the session cookie in the environment variable?
>
> In any case, this behaviour sho
## Josselin Mouette (j...@debian.org):
> I think Steve has a point, and as he explains, this is not a big
> security issue; however it is breaking the expectations you have when
> logging as another user. For example, it is not expected that starting
> an application as the other user will re-use
Le samedi 24 janvier 2009 à 09:04 +0100, Reinhard Tartler a écrit :
> the latter command indeed prunes the environment, and calling
>
> su -c gnome-terminal -
>
> sucessfully fails (heh) with failing to open a display. whats the
> problem here?
"su -" is actually pruning the environment as it s
Josselin Mouette writes:
> it has been brought to my attention (through #512803) that su does not
> clean the environment at all. [... ]
>
> Before I work around this specific issue in the fugliest way, shouldn’t
> we prevent su from preserving the environment?
compare this:
su -c env
to
On Sat, Jan 24, 2009 at 08:41:37AM +0100, Josselin Mouette wrote:
> it has been brought to my attention (through #512803) that su does not
> clean the environment at all. This has several security implications:
> * variables like PERL5LIB or GTK_MODULES can be passed to another
> use
10 matches
Mail list logo
