Re: sshd UseLogin option

From: Bjoern Fischer (bfischer@Techfak.Uni-Bielefeld.DE)
Date: 03/14/02


From: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
Date: Thu, 14 Mar 2002 06:10:25 +0100
To: Jason Stone <jason-fbsd-security@shalott.net>


>> And additionally to that, why is the environment variable MAIL hardcoded
>> to /var/mail/${logname} (or _PATH_MAILDIR/${logname}) in session.c
>> although setusercontext() is used? Crap!
>
>the CheckMail option in sshd is deprecated (I think that it actually
>generates an error in 3.1, the current version) and should not be used
>anymore.

It's not just for the CheckMail option, but the MAIL variable ends up
in the users environment for the session. Normally the admin would have
configured an appropriate environment via login.conf, so no dealing
with shell specific files or, even worse, no telling the user what
variable he has to set. And if a user doesn't start a normal shell
session, but directly fires up his (X11 based) MUA with that wrong
MAIL var.

-Björn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message