current-users: Re: bin/2905: setting environment vars from login

Subject: Re: bin/2905: setting environment vars from login
To: Greg A. Woods <woods@kuma.web.net>
From: Curt Sampson <cjs@portal.ca>
List: current-users
Date: 11/03/1996 17:55:00

On Sun, 3 Nov 1996, Greg A. Woods wrote:

> > Yes, and sooner or later we'll have a security hole because a critical
> > environment variable (e.g. "LD_LIBRARY_PATH") was set or overwritten.
> > 
> > I vote against applying this patch. If someone really wants to have it
> > he can create a modified "login", put in "/usr/local" and use the
> > "lo" field in "gettytab".
> 
> I'd much rather see a system supplied feature for such a security
> critical component.  If some programmer is adding a security critical
> tool that relies upon the setting of an environment variable then I want
> that prorammer to also integrate his new feature into every location in
> the system where it might have some impact.

The problem here is that in this particular instance, *all* tools on the
system may be `security critical.'

Unix itself really has only three levels of access: root, normal
user, and none at all. Many sysadmins need to add the ability to
have access levels between `normal user' and `none at all.' Generally,
this is done by running a certain program from the login prompt. Then
we have only to worry about what the user can do from within that
program, rather than what the user can do with access to any program
in the system.

Quite often, we rely on environment variables to determine what
that user can do. If the program allows shell escapes, setting the
SHELL environment variable to a different program may let us disable
shell escapes, for example.

In short, it's much easier to secure a particular program if we
can count on a fixed environment, rather than a random one. Adding
the ability to set environment variables in the login prompt defeats
this.

> I think it would be much more productive to develop a validated
> security profile such that a feature like this can be added without fear
> of the unknown.
> ... a feature such as this...in a properly
> controlled environment should add nothing but benefit.

This is really asking for a complete re-working of the Unix security
model. Regardless of whether or not this is an unfair thing to ask,
but I think it would be best to do that before we add the ability
to set environment variables on login, rather than after.

cjs

Curt Sampson    cjs@portal.ca		Info at http://www.portal.ca/
Internet Portal Services, Inc.	
Vancouver, BC   (604) 257-9400		De gustibus, aut bene aut nihil.