Subject: Re: bin/2905: setting environment vars from login
To: None <>
From: Michael Graff <>
List: netbsd-bugs
Date: 10/30/1996 14:17:25
"Perry E. Metzger" <> writes:

> > OK, so only pass environment variables if the shell for this user
> > (pw->pw_shell) is one of those listed in /etc/shells or something.
> I'm still terrified. Why do we need this?

I agree.

I would recommend that setting LOGIN_ARGS as I suggested would get rid
of the potential security hole since that variable could be eval'd as the
user only after a shell is started, or the shell could parse it in the
case of a captive account.