> What is the concern about letting a user set some environment
> variables on the line with their login name?  What does this
> mechanism allow that they couldn't have done anyway as soon as they
> get their shell prompt?

The "user" being logged in to may not _have_ a shell prompt.

Imagine you have a UUCP link to "host", login uume, and therefore know
the password - or perhaps you stole it from the real uume's owner.  Or
perhaps "host" supports anonymous uucp.

	% ftp host
	Username: anonymous
	Password: dream@on
	ftp> cd pub/incoming
	ftp> bin
	ftp> put libc.so.12.5
	ftp> quit
	% telnet host
	login: uume LD_LIBRARY_PATH=/var/spool/ftp/pub/incoming

...and as soon as anything dynamically linked gets run, this little
daemon appears on port 32109, or something comparably evil.

No, I prefer just stuffing everything after the login name into a
LOGIN_ARGS variable and letting that be processed however software
wishes.  A normal user may choose to "eval $LOGIN_ARGS"....

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     01 EE 31 F6 BB 0C 34 36  00 F3 7C 5A C1 A0 67 1D