On Wed, Jul 5, 2017 at 4:50 PM, Kees Cook <keesc...@chromium.org> wrote: > > As part of that should we put restrictions on the environment of > set*id exec too?
I'm not seeing what sane limits you could use. I think the concept of "reset as much of the environment to sane things when running suid binaries" is a good concepr. But we simply don't have any sane values to reset things to. Linus