Date: Sun, 11 Feb 2001 22:17:14 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Kris Kennaway <kris@obsecurity.org>, Jacques Vidrine <nectar@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <p05010415b6ad05de601a@[128.113.24.47]> In-Reply-To: <20010209121738.C64219@mollari.cthul.hu> References: <200102091321.f19DLoI59995@freefall.freebsd.org> <20010209121738.C64219@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:17 PM -0800 2/9/01, Kris Kennaway wrote: >On Fri, Feb 09, 2001, Jacques Vidrine wrote: > > >> Modified files: >> usr.bin/login login.c >> Log: > > Fix login so that it exports environmental variables that are > > set by PAM modules (via pam_putenv). The following variables > > will never be set in this fashion: > > >> SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH >> any variable starting with `LD_' > >This isn't a complete list of insecure environment variables, if >that's what it's trying to be. I would feel much happier making >this a defined list of allowed variables so we don't have obscure >security fallout from it. Where would the list be defined? Would it make sense for it to be settable via /etc/login.conf? -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05010415b6ad05de601a>