Subject: Re: bin/2905: setting environment vars from login
To: Michael Graff <firstname.lastname@example.org>
From: Christian Kuhtz <email@example.com>
Date: 10/30/1996 16:00:35
On 30 Oct 1996 14:17:25 -0500, Michael Graff <firstname.lastname@example.org> mumbled:
> "Perry E. Metzger" <email@example.com> writes:
> > > OK, so only pass environment variables if the shell for this user
> > > (pw->pw_shell) is one of those listed in /etc/shells or something.
> > I'm still terrified. Why do we need this?
> I agree.
> I would recommend that setting LOGIN_ARGS as I suggested would get rid
> of the potential security hole since that variable could be eval'd as the
> user only after a shell is started, or the shell could parse it in the
> case of a captive account.
Why do we need this additional bloated functionality in login in the first
place? So far, all I've seen did not indicated a neccessity that couldn't
have been answered in any other way.
Guys, login is _-=*AUTHENTICATION*=-_ and not 'add your favorite gimmick
here'. And any kind of args have no business in that unless they're
directly related and imparative for authentication purposes. Why are we
even discussing this??
I really don't get it. Why are you guys even thinking about accepting
anything from someone you don't even know, or what you are accepting! This
is a wonderful thing to mess around with for anyone who has a desire to
get into your box.
Kill this thread! ;-)
Christian Kuhtz <firstname.lastname@example.org>, office: email@example.com
Network/UNIX Specialist for Paranet, Inc. http://www.paranet.com/
Supercomputing Junkie, et al MIME/NeXTmail accepted
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----