Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: bmajik () NOCBOY NTR NET (Matt Evans)
Date: Thu, 9 Jul 1998 16:17:25 -0400
On Jul 8, 10:40am, Perry E. Metzger wrote:
Subject: Re: ncurses 4.1 security bug
2. If you are using C++ your constructors can't call libc in this case as the order of constructors isnt defined??? Why not just drop privs at the beginning as you are supposed to?
-- End of excerpt from Perry E. Metzger
because you dont know where the beginning is. Does every C++ constructor "drop privs" ? it is my understanding that when you have global objects, the constructors all get called before main() is invoked. The assumptions most people use when writing C++ programs with globals tend to support this. imagine this: class jar { jar() { naughty_libc_call(); }; }; jar a; jar b; main() { other_stuff(); } a.jar() and b.jar() are going to both get called before other_stuff(), but you have no way of knowing in which order a.jar() b.jar() get called with respect to each other. does jar() need to drop privs ? i hardly think so. what happens when "class lazy_programmer{};" comes along ? must all of its constructors also "drop privs" as well ? if every function "drops privs" before main() ever starts, and every function does so in some random order, i fail to see how you can create a useful set[ug]id program. But then again Alan already told us not to use C++ for set[ug]id :)
Current thread:
- Re: Forwared to me, (continued)
- Re: Forwared to me Toomas Soome (Jul 10)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Raymond Medeiros (Jul 13)
- Re: Forwared to me Toomas Soome (Jul 13)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Jason Downs (Jul 13)
- Re: Forwared to me Illuminatus Primus (Jul 13)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
- Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)