On Thu, Dec 29, 2011 at 11:15:44AM -0800, Xin Li wrote: > Would you please elaborate how this would be less ugly (e.g. with a > patch)?
Why doing a patch if you apparently don't care? ) In few words, it less ugly because it 1) will be public API, 2) will restrict all possibe future dlopen() usage (f.e. someday tar, which used in some ftpds, can use dlopen() to load its formats etc.) > We discussed a change like this but IIRC it was rejected because the > affected surface is too broad and we wanted to limit it to just the > implicit dlopen()s to avoid breaking legitimate applications. Instead of total disabling we can (by calling rtld function) restrict dlopen() in ftpd() to absolute path of know safe directories list like "/etc" "/lib" "/usr/lib" etc. -- http://ache.vniz.net/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
