Tim Kientzle <tim at kientzle.com> writes: > There's been an ongoing discussion (started by > Colin Percival's recent work on nologin) about > environment-poisoning attacks via "login -p". > [...] You missed the obvious solution: remove login(1)'s setuid bit so it only works if you are already root. DES -- Dag-Erling Smørgrav - des at des.no