Environment Poisoning and login -p
Dag-ErlingSmørgrav
des at des.no
Fri Feb 27 04:33:32 PST 2004
"Jacques A. Vidrine" <nectar at FreeBSD.org> writes:
> On Fri, Feb 27, 2004 at 02:27:00PM +0300, Andrey Chernov wrote:
> > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote:
> > > > Instead, I've decided to follow Jacques Vidrine's
> > > > suggestion of using a whitelist of environment variables
> > > > that are "known-safe."
> > > Coming in from left field... Will there be some sort of mechanism for
> > > an admin to set/modify this list?
> > I agree we'll need it (because of different assumptions). Something like
> > /etc/safe_environment file.
> Whoa, Let's not complicate things unnecessarily.
Agreed, let's let this discussion die instead. login(1) is no longer
setuid root, so the whole thing is a non-issue.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list