Re: exec and EXECSERVERS

[Paul Jarc]

tb@becket.net (Thomas Bushnell, BSG) wrote:
> Well, a setuid exec itself should disable EXECSERVERS.  But the
> environment variable might still get inherited, and seven layers of
> fork/exec later, do something nasty.  So that means that setuid exec
> should in fact clear EXECSERVERS in the passed environment.
>
> That's a nasty wart, however, having the *exec server* go mucking
> around with environment variables.

I don't know this Hurd stuff very well (or at all, nearly), but in
Unix terms, I'd say whatever code sets uid=euid (if any) in a setuid
situation should take responsibility for clearing dangerous
environment variables (or any other attributes of the process state
inherited from the pre-setuid situation).  As long as uid!=euid,
dangerous environment variables can be safely preserved but ignored.
Does the exec server set uid=euid?  (Or is that not meaningful in the
Hurd?)

The counterargument is that doing things this way requires more
careful programming, and clearing dangerous environment variables
sooner means that buggy code will be merely buggy and not vulnerable.


paul