Re: Environment Poisoning and login -p

• Previous message: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
• In reply to: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
• Next in thread: Mike Hoskins: "Re: Environment Poisoning and login -p"
• Reply: Mike Hoskins: "Re: Environment Poisoning and login -p"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
Date: Fri, 27 Feb 2004 13:33:25 +0100

"Jacques A. Vidrine" <nectar@FreeBSD.org> writes:
> On Fri, Feb 27, 2004 at 02:27:00PM +0300, Andrey Chernov wrote:
> > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote:
> > > > Instead, I've decided to follow Jacques Vidrine's
> > > > suggestion of using a whitelist of environment variables
> > > > that are "known-safe."
> > > Coming in from left field... Will there be some sort of mechanism for
> > > an admin to set/modify this list?
> > I agree we'll need it (because of different assumptions). Something like
> > /etc/safe_environment file.
> Whoa, Let's not complicate things unnecessarily.

Agreed, let's let this discussion die instead. login(1) is no longer
setuid root, so the whole thing is a non-issue.

DES

-- 
Dag-Erling Smørgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
• In reply to: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
• Next in thread: Mike Hoskins: "Re: Environment Poisoning and login -p"
• Reply: Mike Hoskins: "Re: Environment Poisoning and login -p"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Environment Poisoning and login -p ... let's let this discussion die instead. ... > setuid root, so the whole thing is a non-issue. ... (of course if someone is paranoid and wants to make relevant patches ... (FreeBSD-Security) Re: does die() allow PHP to be sent to the browser screen? ... The die() function does not print out anything. ... > If I'd had passwords visible in the code, I'd be in deep trouble. ... > Whoa. ... Serious misconfiguration, dude. ... (comp.lang.php) Re: Losing my feel for this? ... will that joke ever die? ... dejavu... ... (rec.games.miniatures.warhammer)