[ On , October 30, 1996 at 09:28:19 (+0100), Matthias Scheler wrote: ]
> Subject: Re: bin/2905: setting environment vars from login
>
> Yes, and sooner or later we'll have a security hole because a critical
> environment variable (e.g. "LD_LIBRARY_PATH") was set or overwritten.
> 
> I vote against applying this patch. If someone really wants to have it
> he can create a modified "login", put in "/usr/local" and use the
> "lo" field in "gettytab".

I'd much rather see a system supplied feature for such a security
critical component.  If some programmer is adding a security critical
tool that relies upon the setting of an environment variable then I want
that prorammer to also integrate his new feature into every location in
the system where it might have some impact.  If the system supplied
login program is one of those places every NetBSD programmer pays close
attention to, then we've got an asset, not a defecit, in terms of a more
feature rich, but very well integrated and secure system.

Saying that such and such feature is allows someone to trip over an
as-yet un-introduced potential security weakness isn't saying much at
all.  I think it would be much more productive to develop a validated
security profile such that a feature like this can be added without fear
of the unknown.

After all, if you think about the risk/benefit ratio, I think it should
be obvious that there are far more risky things in the system that need
more direct attention than a feature such as this which in a properly
controlled environment should add nothing but benefit.

This is in fact a feature I would find mandatory if I were to build a
system that provded general purpose shell access, esp. in a commercial
unix environment.

-- 
							Greg A. Woods

+1 416 443-1734			VE3TCP			robohack!woods
Planix, Inc. <woods@planix.com>; Secrets Of The Weird <woods@weird.com>