Project

General

Profile

Actions

Bug #780

closed

Security: getenv() should not be used if daemon are in setuid mode

Added by David Goulet over 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Target version:
Start date:
04/14/2014
Due date:
% Done:

100%

Estimated time:

Description

As stated in the getenv(3) man page, if a lttng daemon is setuid (getuid != geteuid()) it should not try to read env. variable since an untrusted environment is an attack vector.

Actions

Also available in: Atom PDF