added some extra clarifications to the SECURITY file.

author R.E. Wolff <R.E.Wolff@BitWizard.nl>

Tue, 5 Feb 2013 15:56:38 +0000 (16:56 +0100)

committer R.E. Wolff <R.E.Wolff@BitWizard.nl>

Tue, 5 Feb 2013 15:56:45 +0000 (16:56 +0100)
author R.E. Wolff <R.E.Wolff@BitWizard.nl>
Tue, 5 Feb 2013 15:56:38 +0000 (16:56 +0100)
committer R.E. Wolff <R.E.Wolff@BitWizard.nl>
Tue, 5 Feb 2013 15:56:45 +0000 (16:56 +0100)
diff --git a/SECURITY b/SECURITY

index 1ebf15c085407d4b873e01596c528f9a128bb6e5..6cfc40b1b6e563de37a80bd65b01e89b78e32425 100644 (file)
--- a/SECURITY
+++ b/SECURITY
@@ -29,5 +29,14 @@ raw socket descriptors, which would allow the malicious user to listen
  to all ICMP packets arriving at the system, and send forged packets
  with arbitrary contents.
  
+The mtr-code does its best to prevent calling of external library
+code before dropping privileges. It seems that C++ library code has 
+the ability to issue a "please execute me before calling main" to the
+loader/linker.  That would mean that we're still vulnerable to 
+errors in that code. This is why I would prefer to drop the backends, 
+have mtr-core always run in "raw" mode, and have the backends interpret
+the output from the mtr-core. Maybe a nice project for a college-level
+student. 
+
  If you have further questions or comments about security issues,
  please direct them to the mtr mailing list.  See README for details.
author	R.E. Wolff <R.E.Wolff@BitWizard.nl>
	Tue, 5 Feb 2013 15:56:38 +0000 (16:56 +0100)
committer	R.E. Wolff <R.E.Wolff@BitWizard.nl>
	Tue, 5 Feb 2013 15:56:45 +0000 (16:56 +0100)