How can a user get BOINC to run under a different account but with environment variables he chose? Whatever privileges it has, it's certainly not installed with setuid...
-- Nicolás 2012/10/19, rustyBSD <[email protected]>: > Mmhh... I don't think so. If boinc is running > with more privileges than the "public" user, this > user just have to set an environment variable large > enough and add shellcode at the end to escalate > privileges. > > I know we always must use size-checking functions, > but getenv() is particularly thorny, so it should be > replaced first. > > > Le 18/10/2012 01:12, David Anderson a écrit : >> Thanks; I checked in some of these >> (it took a while because I was on vacation). >> Notes: >> >> - For now, we're not generally using size-checking functions >> like snprintf() and strlcpy(). >> - For now, we're not checking for malloc() failing. >> >> In both cases: if we're going to add these checks, >> we'd need to do it everywhere. >> There's not point in doing it in just a few places. >> Doing it everywhere is a large code change, >> not currently justified by reported problems. >> >> -- David >> >> On 17-Oct-2012 5:08 AM, rustyBSD wrote: >>> > Hi, >>> > here are little patches. >>> > >>> > == async_start.cpp.diff & switcher.cpp.diff == >>> > getenv()ed pointers are copied to fixed-size char, >>> > so itoverflows if pointer's lenght > char. >>> > >>> > == filesys.cpp.diff == >>> > Idem, and some trivial simplifications... >>> > >>> > == async_file.cpp.diff == >>> > fread() and fwrite() are size_t, and never return < 0. >>> > >>> > == atiopencl.cpp.diff == >>> > This fopen() is never closed. > _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
