netbsd-bugs: Re: bin/2905: setting environment vars from login

Subject: Re: bin/2905: setting environment vars from login
To: Michael Graff <explorer@flame.org>
From: Christian Kuhtz <kuhtz@ix.netcom.com>
List: netbsd-bugs
Date: 10/30/1996 16:00:35

On 30 Oct 1996 14:17:25 -0500, Michael Graff <explorer@flame.org> mumbled:
> "Perry E. Metzger" <perry@piermont.com> writes:
>
> > > OK, so only pass environment variables if the shell for this user
> > > (pw->pw_shell) is one of those listed in /etc/shells or something.
> >
> > I'm still terrified. Why do we need this?
>
> I agree.
>
> I would recommend that setting LOGIN_ARGS as I suggested would get rid
> of the potential security hole since that variable could be eval'd as the
> user only after a shell is started, or the shell could parse it in the
> case of a captive account.

Why do we need this additional bloated functionality in login in the first  
place?  So far, all I've seen did not indicated a neccessity that couldn't  
have been answered in any other way.

Guys, login is _-=*AUTHENTICATION*=-_ and not 'add your favorite gimmick  
here'.  And any kind of args have no business in that unless they're  
directly related and imparative for authentication purposes.  Why are we  
even discussing this??

I really don't get it.  Why are you guys even thinking about accepting  
anything from someone you don't even know, or what you are accepting!  This  
is a wonderful thing to mess around with for anyone who has a desire to  
get into your box.

Kill this thread! ;-)

Regards,
Chris

--
Christian Kuhtz <kuhtz@ix.netcom.com>, office: ckuhtz@paranet.com
Network/UNIX Specialist for Paranet, Inc. http://www.paranet.com/
Supercomputing Junkie, et al               MIME/NeXTmail accepted

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJ1JCkAAAEEALzCoYhlxTLI4DID5KpQINF8KM4PUnrZxoL2aRRFAQNX9v9c
8uBySUqVDxfyylB6M/ptUezWIs6DLjz6b8jr8MX40vQf2jU2db6oMDh2axOeXlg2
KCSHryZ9kthnnXOVt0kHLN9XjM9DvwKU28RzvT7umEVmbHFyp64kVG961wkZAAUR
tCVDaHJpc3RpYW4gS3VodHogPGt1aHR6QGl4Lm5ldGNvbS5jb20+iQCVAwUQMnUk
Ka4kVG961wkZAQFztgP+IgHBCz/d1Sc10Qg0Wmu4KnhNb4E4KsPh96V/olwbQS+e
frdWMxSHzX8hGD1p/KbuwlNRrDktmZgVc+n89FGEeGcq3z9WK3o22JsyjJTlzobY
qJIZ5bdOx4dOimQ83ha9zjF+bRnw92t1jC/GJ+LRyOEVMzD5TtL7AMdODO8fNC8=
=sRe0
-----END PGP PUBLIC KEY BLOCK-----