[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need help (building ncurses-4.2)

> > Once I fixed that, it "almost worked": Now I have a portability problem.
> > The Debian version uses setfsuig and setfsgid, to solve a security
> > problem, I think.
> Can you ascertain what the actual purpose here is?  i.e. how are these
> calls used and what is the supposed problem being solved by using these
> calls?

They are used to fix a security problem.

As Mark Kettenis has explained to me, "ncurses looks at the
TERMINFO variable to allow the user to specify their own terminfo
database. For setuid programs this opens the possibility to read
arbitrary files, which of course is not good."

He also suggested to ignore such environment variables if uid != euid,
as done in libc6.

 "3e07f5bbfc03e0af04abcda88afd9641" (a truly random sig)

Reply to: