cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom OpenSSL crypto engine not known to cURL

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 1 Apr 2010 09:11:04 +0200 (CEST)

On Thu, 1 Apr 2010, Camille Moncelier wrote:

> You could set up some _evil_ openssl engine and set init = 1 so openssl try
> to initialize it automatically and TADA, (Bonus points if the application is
> setuid root) :-)

Thank you. I'm not sure where this puts us.

Assuming an app wants to support custom crypto engines as Petr Pisar enabled
with his patch, and assuming the app runs as setuid root. How can the app
limit what evilness a user can trick it into doing?

It seems this subject died somewhat...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-01