[2614] in Kerberos-V5-bugs
krb5-appl/326: for 1.0 patch: rlogin preserves HOME, USER, etc
daemon@ATHENA.MIT.EDU (hartmans@MIT.EDU)
Sat Dec 28 20:57:16 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, hartmans@MIT.EDU
Date: Sat, 28 Dec 1996 20:56:48 -0500
From: hartmans@MIT.EDU
Reply-To: hartmans@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 326
>Category: krb5-appl
>Synopsis: for 1.0 patch: rlogin preserves HOME, USER, etc
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Dec 28 20:57:00 EST 1996
>Last-Modified:
>Originator: Sam Hartman
>Organization:
mit
>Release: 1.0-development
>Environment:
System: SunOS starkiller 5.4 Generic_101945-37 sun4m sparc
>Description:
A recent change causes klogind to be called with -p in order to
preserve the TERM environment variable. This exposes a bug where
login only sets HOME, USER and several other environment variables if
they are not already set.
This conflicts with the behavior of 4.4BSD and my opinion about what should happen.
>How-To-Repeat:
Log into a system using rlogin out of 1.0 and look at $HOME.
>Fix:
I propose a two part fix. For the 1.0 patch release I propose
to make login always set these variables. It may be a security issue
in some environments not to do so and it is the correct behavior for
login.
In addition, I don't think klogind really needs to pass -p to
login; I am fairly certain that it will always respect the caller's
TERM. If it does not, I think adding this functionality would be
appropriate. I will investigate this for the mainline.
>Audit-Trail:
>Unformatted: