cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom OpenSSL crypto engine not known to cURL

From: Petr Pisar <petr.pisar_at_atlas.cz>
Date: Thu, 1 Apr 2010 23:16:18 +0200

On Thu, Apr 01, 2010 at 09:11:04AM +0200, Daniel Stenberg wrote:
> On Thu, 1 Apr 2010, Camille Moncelier wrote:
>
> > You could set up some _evil_ openssl engine and set init = 1 so openssl
> > try to initialize it automatically and TADA, (Bonus points if the
> > application is setuid root) :-)
>
> Assuming an app wants to support custom crypto engines as Petr Pisar enabled
> with his patch, and assuming the app runs as setuid root. How can the app
> limit what evilness a user can trick it into doing?
>
Unset OPENSSL_CNF. The same applies to NSS as user could supply custom NSS
database (that can load PKCS#11 engines too).

In case of OpenSSL, this forces user to use system wide configuration that is
under sole control of superuser.

-- Petr

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/pgp-signature attachment: stored

Received on 2010-04-01

This message: [ Message body ]
Next message: tetetest tetetest: "Re: CMake build patch - updated version."
Previous message: Ben Greear: "Re: [imap] imap: Return folder listing if empty URL content is given."
In reply to: Daniel Stenberg: "Re: Custom OpenSSL crypto engine not known to cURL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]