[ On Tuesday, September 16, 2003 at 12:17:35 (-0700), Greywolf wrote: ]
> Subject: Re: security issues with passing environment vars through su
>
> I don't see any inherent risk in inheriting $OLDPWD...

Well it all depends on what you use it for.  If all you do is "cd -;
. ./.profile" then you're still just as screwed.

> For myself, though, I *do* like having ENV passed in; so please don't
> propose changing that.

I'm not really proposing anything -- I'm just saying that passing any
environment variable (except of course maybe $TERM :-) off to the "su"
session is _VERY_ risky, so much so that I'm not willing to let anyone
using any of the systems I build even try to get away with it so I've
tromped on all the code that lets it happen.

If you want to play those kinds of very risky games on your systems then
that's your business but don't come crying if you ever get targetted by
someone who knows how to use the vulnerabilities you leave wide open for
them to exploit.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>