Arran Cudbard-Bell wrote:
Hm, can anyone see any obvious security issues with having the utilities and server check environmental variables for a PANIC_ACTION?
No. If it's running as a service, the environment is already sanitized. If someone can become root and run radiusd, well... they can edit anything.
It allows you to be exceptionally lazy... you could just set it in ~/.profile and an interactive debugger session would pop up any time a utility or daemon crashed.
That's very useful.
Just seems like one of those possibly insecure exploitable things... Maybe only enable it #ifndef NDEBUG then it's off for official releases? and for radiusd only if it was running in foreground mode?
It's useful in daemon mode too. Just use NDEBUG. Alan DeKok.