Date: Fri, 27 Feb 2004 13:33:25 +0100 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p Message-ID: <xzp65dsem7e.fsf@dwp.des.no> In-Reply-To: <20040227122718.GA46119@madman.celabo.org> (Jacques A. Vidrine's message of "Fri, 27 Feb 2004 06:27:19 -0600") References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> <20040227112658.GA36271@nagual.pp.ru> <20040227122718.GA46119@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jacques A. Vidrine" <nectar@FreeBSD.org> writes: > On Fri, Feb 27, 2004 at 02:27:00PM +0300, Andrey Chernov wrote: > > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > > > Instead, I've decided to follow Jacques Vidrine's > > > > suggestion of using a whitelist of environment variables > > > > that are "known-safe." > > > Coming in from left field... Will there be some sort of mechanism for > > > an admin to set/modify this list? > > I agree we'll need it (because of different assumptions). Something like > > /etc/safe_environment file. > Whoa, Let's not complicate things unnecessarily. Agreed, let's let this discussion die instead. login(1) is no longer setuid root, so the whole thing is a non-issue. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp65dsem7e.fsf>