On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > Colin Walters walters-at-redhat.com |fedora| wrote: > >The major threat here is environment variables, right? Hmm...didn't get Colin's original message, but I saw this reply. Anyway, if the question is about domain transitions on scripts, then there is a fundamental race condition on script execution. Think: kernel looks up script file and reads header, kernel invokes interpreter with script file path as argument, interpreter looks up script file. Caller can run arbitrary code in the new domain. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
