Subject: Re: bin/2905: setting environment vars from login
To: None <email@example.com>
From: Michael Graff <firstname.lastname@example.org>
Date: 10/30/1996 14:17:25
"Perry E. Metzger" <email@example.com> writes:
> > OK, so only pass environment variables if the shell for this user
> > (pw->pw_shell) is one of those listed in /etc/shells or something.
> I'm still terrified. Why do we need this?
I would recommend that setting LOGIN_ARGS as I suggested would get rid
of the potential security hole since that variable could be eval'd as the
user only after a shell is started, or the shell could parse it in the
case of a captive account.