From owner-cvs-all Sun Feb 11 19:17:23 2001 Delivered-To: cvs-all@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 852F337B401; Sun, 11 Feb 2001 19:17:18 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id WAA642182; Sun, 11 Feb 2001 22:17:15 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010209121738.C64219@mollari.cthul.hu> References: <200102091321.f19DLoI59995@freefall.freebsd.org> <20010209121738.C64219@mollari.cthul.hu> Date: Sun, 11 Feb 2001 22:17:14 -0500 To: Kris Kennaway , Jacques Vidrine From: Garance A Drosihn Subject: Re: cvs commit: src/usr.bin/login login.c Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 12:17 PM -0800 2/9/01, Kris Kennaway wrote: >On Fri, Feb 09, 2001, Jacques Vidrine wrote: > > >> Modified files: >> usr.bin/login login.c >> Log: > > Fix login so that it exports environmental variables that are > > set by PAM modules (via pam_putenv). The following variables > > will never be set in this fashion: > > >> SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH >> any variable starting with `LD_' > >This isn't a complete list of insecure environment variables, if >that's what it's trying to be. I would feel much happier making >this a defined list of allowed variables so we don't have obscure >security fallout from it. Where would the list be defined? Would it make sense for it to be settable via /etc/login.conf? -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message