On Wed, Jul 5, 2017 at 4:50 PM, Kees Cook <[email protected]> wrote: > > As part of that should we put restrictions on the environment of > set*id exec too?
I'm not seeing what sane limits you could use.
I think the concept of "reset as much of the environment to sane
things when running suid binaries" is a good concepr.
But we simply don't have any sane values to reset things to.
Linus
