Re: Custom OpenSSL crypto engine not known to cURL
Date: Thu, 1 Apr 2010 23:16:18 +0200
On Thu, Apr 01, 2010 at 09:11:04AM +0200, Daniel Stenberg wrote:
> On Thu, 1 Apr 2010, Camille Moncelier wrote:
> > You could set up some _evil_ openssl engine and set init = 1 so openssl
> > try to initialize it automatically and TADA, (Bonus points if the
> > application is setuid root) :-)
> Assuming an app wants to support custom crypto engines as Petr Pisar enabled
> with his patch, and assuming the app runs as setuid root. How can the app
> limit what evilness a user can trick it into doing?
Unset OPENSSL_CNF. The same applies to NSS as user could supply custom NSS
database (that can load PKCS#11 engines too).
In case of OpenSSL, this forces user to use system wide configuration that is
under sole control of superuser.
- application/pgp-signature attachment: stored