Subject: Re: bin/2905: setting environment vars from login
To: Greg A. Woods <firstname.lastname@example.org>
From: Curt Sampson <email@example.com>
Date: 11/04/1996 12:57:41
On Mon, 4 Nov 1996, Greg A. Woods wrote:
> Maybe you do, but I never have beyond a well defined policy where I know
> at all levels which environment variables are innocuous, and which are
> not, and usually a simple grep of the source tree will show me where my
> policy might be violated, or possibly where I must add another variable
> to the list of dangerous data bins.
I'm glad you have full source code for all of your programs.
Unfortunately, I don't, and I don't care to modify login to screen
certain variables every time I install a new program for which I
don't have source.
This policy is also a lot of work to maintain. If you're going to keep
a local source tree and maintain this sort of policy, I can't see what
the problem would be with running a modified login. Whereas those who
don't want to do this sort of thing shouldn't be exposed to these sorts
of security risks by putting this in the standard distribution.