Subject: Re: bin/2905: setting environment vars from login
To: Greg A. Woods <woods@kuma.web.net>
From: Christian Kuhtz <kuhtz@ix.netcom.com>
List: current-users
Date: 11/05/1996 11:47:00
On Sun, 3 Nov 96 19:41:12 -0500 (EST), woods@kuma.web.net (Greg A. Woods)
mumbled:
> Saying that such and such feature is allows someone to trip over an
> as-yet un-introduced potential security weakness isn't saying much at
> all. I think it would be much more productive to develop a validated
> security profile such that a feature like this can be added without fear
> of the unknown.
1. It would help if you could be less ambiguous.
2. Part of a working and effective security policy is security planning, and
that includes observing changes very closely and with scrutiny. RTFM.
> After all, if you think about the risk/benefit ratio, I think it should
> be obvious that there are far more risky things in the system that need
> more direct attention than a feature such as this which in a properly
> controlled environment should add nothing but benefit.
IMHO, that argumentation is extremely weak. Just because you know that
there's a bigger hole somewhere means that you don't care about the little
ones anymore?!
> This is in fact a feature I would find mandatory if I were to build a
> system that provded general purpose shell access, esp. in a commercial
> unix environment.
In a commercial environment you should be able to find a better solution
than this kludge. And it is nothing more than that at this point: a
kludge.
So far, no one has been able to demonstrate the absolute neccessity for
this additional feature/junk in /bin/login.
Chris
--
Christian Kuhtz <kuhtz@ix.netcom.com>, office: ckuhtz@paranet.com
Network/UNIX Specialist for Paranet, Inc. http://www.paranet.com/
Supercomputing Junkie, et al MIME/NeXTmail accepted
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzJ1JCkAAAEEALzCoYhlxTLI4DID5KpQINF8KM4PUnrZxoL2aRRFAQNX9v9c
8uBySUqVDxfyylB6M/ptUezWIs6DLjz6b8jr8MX40vQf2jU2db6oMDh2axOeXlg2
KCSHryZ9kthnnXOVt0kHLN9XjM9DvwKU28RzvT7umEVmbHFyp64kVG961wkZAAUR
tCVDaHJpc3RpYW4gS3VodHogPGt1aHR6QGl4Lm5ldGNvbS5jb20+iQCVAwUQMnUk
Ka4kVG961wkZAQFztgP+IgHBCz/d1Sc10Qg0Wmu4KnhNb4E4KsPh96V/olwbQS+e
frdWMxSHzX8hGD1p/KbuwlNRrDktmZgVc+n89FGEeGcq3z9WK3o22JsyjJTlzobY
qJIZ5bdOx4dOimQ83ha9zjF+bRnw92t1jC/GJ+LRyOEVMzD5TtL7AMdODO8fNC8=
=sRe0
-----END PGP PUBLIC KEY BLOCK-----