Date: Fri, 09 Feb 2001 12:17:38 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Jacques Vidrine <nectar@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <20010209121738.C64219@mollari.cthul.hu> In-Reply-To: <200102091321.f19DLoI59995@freefall.freebsd.org>; from nectar@FreeBSD.org on Fri, Feb 09, 2001 at 05:21:50AM -0800 References: <200102091321.f19DLoI59995@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Feb 09, 2001 at 05:21:50AM -0800, Jacques Vidrine wrote: > nectar 2001/02/09 05:21:50 PST > > Modified files: > usr.bin/login login.c > Log: > Fix login so that it exports environmental variables that are set by PAM > modules (via pam_putenv). The following variables will never be set in > this fashion: > > SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH > any variable starting with `LD_' This isn't a complete list of insecure environment variables, if that's what it's trying to be. I would feel much happier making this a defined list of allowed variables so we don't have obscure security fallout from it. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hFBiWry0BWjoQKURApBwAJ9I9RmORnzs2vCoUray0avvw4AABQCg6qQf eWU7hZLVopC6lqb65SYgS6I= =DMcE -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010209121738.C64219>