More on the shared lib stuff.
I'd LIKE to get a discussion of this (after just talking to Bruce on the
phone).
If I need to repost Kean's comments to -HACKERS, let me know.
LER
Forwarded Message
Date: Saturday, July 19, 2003 13:50:55 -0700
From: Kean Johnston <[EMAIL
Follow-up to a question from Bruce on the phone, re: the open server patch
2nd to follow.
Kean has graciously agreed to answer questions if y'all need them answered.
LER
Forwarded Message
Date: Friday, July 18, 2003 23:24:47 -0700
From: Kean Johnston <[EMAIL PROTECTED]>
2nd followup from Kean.
LER
Forwarded Message
Date: Friday, July 18, 2003 23:43:55 -0700
From: Kean Johnston <[EMAIL PROTECTED]>
To: Larry Rosenman <[EMAIL PROTECTED]>
Cc:
Subject: Re: PG Patch
Larry Rosenman wrote:
I got a question from the PG Core Team (Bruce Momjian)
Larry Rosenman writes:
> Why do this at all? Security. Having shared libraries without full SONAME's
> is a big security risk. There have been any number of huge explots based
> around this. Point me at any Solaris machine <= 2.7, or any OSR5 system <
> 507 or any FreeBSD system <= 4.0 and I can g
--On Wednesday, July 23, 2003 12:20:34 +0200 Peter Eisentraut
<[EMAIL PROTECTED]> wrote:
Larry Rosenman writes:
Why do this at all? Security. Having shared libraries without full
SONAME's is a big security risk. There have been any number of huge
explots based around this. Point me at any Sola
Larry Rosenman writes:
> Universal Practice does NOT equal Security and Usability.
>
> Please consider what Kean is saying here.
What Kean is saying is that your system is insecure if you have a setuid
executable that references shared libraries with nonabsolute sonames and
you have a system (an
--On Friday, July 25, 2003 09:37:04 +0200 Peter Eisentraut
<[EMAIL PROTECTED]> wrote:
Larry Rosenman writes:
Universal Practice does NOT equal Security and Usability.
Please consider what Kean is saying here.
What Kean is saying is that your system is insecure if you have a setuid
executable
Larry Rosenman writes:
> I disagree STRONGLY with what you are saying here. What harm does it do to
> add the ABILITY for a port to use a ABSOLUTE DT_SONAME?
We can discuss adding the ability, but I'm against enforcing it by
default.
> I belive that the issue is not broken systems, but broken p
--On Friday, July 25, 2003 11:58:18 +0200 Peter Eisentraut
<[EMAIL PROTECTED]> wrote:
Larry Rosenman writes:
I disagree STRONGLY with what you are saying here. What harm does it do
to add the ABILITY for a port to use a ABSOLUTE DT_SONAME?
We can discuss adding the ability, but I'm against en
Finally I understand the issue, I think.
But wouldn't an ordinary user on SCO wanting to install a private copy of
Pg then have to hack the Makefiles to change/remove the abolute DT_SONAME?
If so, that seems to me to mandate that this not be in the vanilla
distribution. OS Vendors commonly make c
--On Friday, July 25, 2003 03:28:55 -0500 Andrew Dunstan
<[EMAIL PROTECTED]> wrote:
Finally I understand the issue, I think.
But wouldn't an ordinary user on SCO wanting to install a private copy of
Pg then have to hack the Makefiles to change/remove the abolute DT_SONAME?
If so, that seems to
Larry Rosenman wrote:
> > If your system is broken in that particular way, upgrade your system or
> > don't use setuid programs at all. Those are the only sane choices. It is
> > not an acceptable choice to disable all valid uses of nonabsolute sonames
> > for all users, just because some users a
Date: Thursday, July 24, 2003 04:33:12 -0700
From: Kean Johnston <[EMAIL PROTECTED]>
To: Larry Rosenman <[EMAIL PROTECTED]>
Cc: Peter Eisentraut <[EMAIL PROTECTED]>
Subject: Re: [PATCHES] PG Patch (fwd) [openserver patch followup #2]
These concerns might have s
13 matches
Mail list logo
