From owner-freebsd-security  Wed Mar 13 21:15:28 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mailout04.sul.t-online.com (mailout04.sul.t-online.com [194.25.134.18])
	by hub.freebsd.org (Postfix) with ESMTP id 964DF37B400
	for <security@freebsd.org>; Wed, 13 Mar 2002 21:15:24 -0800 (PST)
Received: from fwd07.sul.t-online.de 
	by mailout04.sul.t-online.com with smtp 
	id 16lNWo-0000K4-00; Thu, 14 Mar 2002 06:11:50 +0100
Received: from frolic.no-support.loc (520094253176-0001@[217.225.32.206]) by fmrl07.sul.t-online.com
	with esmtp id 16lNWa-1Dj32mC; Thu, 14 Mar 2002 06:11:36 +0100
Received: (from bjoern@localhost)
	by frolic.no-support.loc (8.11.6/8.9.3) id g2E5APE00599;
	Thu, 14 Mar 2002 06:10:25 +0100 (CET)
	(envelope-from bjoern)
From: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
Date: Thu, 14 Mar 2002 06:10:25 +0100
To: Jason Stone <jason-fbsd-security@shalott.net>
Cc: security@FreeBSD.ORG
Subject: Re: sshd UseLogin option
Message-ID: <20020314051025.GA350@frolic.no-support.loc>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.3.25i
X-Sender: 520094253176-0001@t-dialin.net
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>> And additionally to that, why is the environment variable MAIL hardcoded
>> to /var/mail/${logname} (or _PATH_MAILDIR/${logname}) in session.c
>> although setusercontext() is used? Crap!
>
>the CheckMail option in sshd is deprecated (I think that it actually
>generates an error in 3.1, the current version) and should not be used
>anymore.

It's not just for the CheckMail option, but the MAIL variable ends up
in the users environment for the session. Normally the admin would have
configured an appropriate environment via login.conf, so no dealing
with shell specific files or, even worse, no telling the user what
variable he has to set. And if a user doesn't start a normal shell
session, but directly fires up his (X11 based) MUA with that wrong
MAIL var.

-Bj=F6rn


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message