Subject: Re: bin/2905: setting environment vars from login
To: None <perry@piermont.com>
From: Michael Graff <explorer@flame.org>
List: netbsd-bugs
Date: 10/30/1996 14:17:25
"Perry E. Metzger" <perry@piermont.com> writes:

> > OK, so only pass environment variables if the shell for this user
> > (pw->pw_shell) is one of those listed in /etc/shells or something.
> 
> I'm still terrified. Why do we need this?

I agree.

I would recommend that setting LOGIN_ARGS as I suggested would get rid
of the potential security hole since that variable could be eval'd as the
user only after a shell is started, or the shell could parse it in the
case of a captive account.

--Michael