Date: Fri, 09 Feb 2001 12:17:38 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Jacques Vidrine <nectar@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <20010209121738.C64219@mollari.cthul.hu> In-Reply-To: <200102091321.f19DLoI59995@freefall.freebsd.org>; from nectar@FreeBSD.org on Fri, Feb 09, 2001 at 05:21:50AM -0800 References: <200102091321.f19DLoI59995@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--aT9PWwzfKXlsBJM1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 05:21:50AM -0800, Jacques Vidrine wrote: > nectar 2001/02/09 05:21:50 PST >=20 > Modified files: > usr.bin/login login.c=20 > Log: > Fix login so that it exports environmental variables that are set by PAM > modules (via pam_putenv). The following variables will never be set in > this fashion: > =20 > SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH > any variable starting with `LD_' This isn't a complete list of insecure environment variables, if that's what it's trying to be. I would feel much happier making this a defined list of allowed variables so we don't have obscure security fallout from it. Kris --aT9PWwzfKXlsBJM1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hFBiWry0BWjoQKURApBwAJ9I9RmORnzs2vCoUray0avvw4AABQCg6qQf eWU7hZLVopC6lqb65SYgS6I= =DMcE -----END PGP SIGNATURE----- --aT9PWwzfKXlsBJM1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010209121738.C64219>