[2360] in bugtraq
Re: a point is being missed
daemon@ATHENA.MIT.EDU (Casper Dik)
Sat Nov 4 16:56:03 1995
Date: Sat, 4 Nov 1995 19:51:39 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Casper Dik <casper@Holland.Sun.COM>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Fri, 03 Nov 1995 09:57:46 EST."
<199511031457.JAA13148@narq.avian.org>
>Why in all this telnetd flap has nobody mentioned that /bin/login should
>be relinked STATICALLY? That at least defers the LD_* class of problem
>until after login has done the setuid and exec, but still leaves things
>like IFS passed to scripts.
Unfortunately, we can't do that.
Too much *requires* static dynamic linking, and in future even more
will be required. (Pluggable Authentication Modules)
BTW, login does filter other bad variables such as PATH, IFS and SHELL.
Casper
