environ problem in 3.8p1
John P. Rouillard
rouilj at cs.umb.edu
Mon Mar 8 02:42:59 EST 2004
In message <4045388B.4090804 at zip.com.au>,
Darren Tucker writes:
>Damien Miller wrote:
>
>> Actually, this won't work - KRB5CCNAME gets set during the auth process.
>>
>> Perhaps we just need to blank a couple of environment variables. Comments?
>
>Yes, that seems safer. I had a patch somewhere that had configure check
>for unsetenv() and emulate it in openbsd-compat if not found (probably
>attached to the original bug #757).
Sorry if this has already been suggested, but I am only up to Tuesday
in my email backlog.
I would suggest not blanking "a couple of environment variables", but
passing only a the environment variables you need and
blanking/removing all the rest. It's just safer since you never know
what variables could be used for an exploit later.
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the openssh-unix-dev
mailing list