Larry Rosenman wrote:
> > If your system is broken in that particular way, upgrade your system or
> > don't use setuid programs at all. Those are the only sane choices. It is
> > not an acceptable choice to disable all valid uses of nonabsolute sonames
> > for all users, just because some users are running on broken systems with
> > obvious security flaws.
>
> I disagree STRONGLY with what you are saying here. What harm does it do to
> add the ABILITY for a port to use a ABSOLUTE DT_SONAME?
>
> All the SYSTEM SUPPLIED .so's on UnixWare use an absolute DT_SONAME, and I
> feel
> that we should build libpq to supply same on UnixWare, and Kean suggests
> that
> the prefered, SCO recommended way on OpenServer is to do the same.
>
> I belive that the issue is not broken systems, but broken practice.
It is a broken system. Setuid shouldn't honor that environment
variable, because you are never going to be sure you catch all the
shared library file creations. Also, once we hard code it, you can't
move the library around later if you wish.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073