[systemd-devel] [PATCH] path-lookup: use secure_getenv()
tixxdz at opendz.org
Mon Mar 16 10:52:09 PDT 2015
On Mon, Mar 16, 2015 at 06:31:29PM +0100, David Herrmann wrote:
> On Sun, Mar 15, 2015 at 12:36 PM, Ronny Chevalier
> <chevalier.ronny at gmail.com> wrote:
> > 2015-03-15 3:27 GMT+01:00 Shawn Landden <shawn at churchofgit.com>:
> >> All these except user_data_home_dir() are certainly vectors for
> >> arbitrary code execution. These should use secure_getenv()
> >> ---
> > Hi,
> > I don't see why secure_getenv() is appropriate here? These functions
> > are never used in the libraries systemd provides, they are mostly used
> > by systemctl and the dbus manager. Can you provide more details?
> You're right, but on the other hand secure_getenv() is usually
> sufficient (we don't use setuid() nor fs-caps). So secure_getenv()
> wouldn't hurt.
> But I don't really care..
Yeh, perhaps just push them and forget about them even if they are
called later from libraries or copy+past into a library call... ?!
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
More information about the systemd-devel