[PATCH/cygwin] reduce number of propagated environment variables

Roumen Petrov openssh at roumenpetrov.info
Sat Feb 20 09:44:59 EST 2010 

Corinna Vinschen wrote:
> On Feb 19 23:26, Roumen Petrov wrote:
>> Hi Corinna,
>>
>> Corinna Vinschen wrote:
>>> -	{ NL("TMP=") },
>>> -	{ NL("TEMP=") },
>
>> Why  TMP and TEMP are in the list for removal ?
>> Some open-source project may use TMP .
>
> And it doesn't hurt if they are not set.  The default is /tmp, as
> usual.  TMP and TEMP are also not set if you start a child process
> under sshd on other systems like OpenBSD or Linux.
>
> On the contrary, we stumbled over the disadvantage to propagate /tmp to
> the child only yesterday.  If TMP and TEMP are set to a directory which
> only the privileged user running sshd has acess to, then the user switch
> results in unusable TMP and TEMP settings.  Setting TMP orTEMP or TMPDIR
> should better be done in the user's profile.

OK

>> What is impact if PROCESSOR_* is removed ? Did you test as example
>> with python ?
>
> The idea in sshd was for many years not to propagate any variables from
> the privileged user running sshd to the unprivileged child process.
> The Cygwin version propagates a couple of variables becase they are
> required to run child processes, but the idea also was to keep the
> list as small as possible.  The removed variables are not actually
> necessary.  Even ALLUSERSPROFILE is a questionable variable which I
> could be convinced to sacrifice.
>
> No, I didn't test with python.  Cygwin's python should work without
> these variables.  You are not actually trying to tell me that python
> really uses these environment variables to fetch information about the
> CPU, right?  The variables are not available on other systems and the
> user could set them to arbitrary values.  /proc/cpuinfo for instance,
> which is available on Cygwin as well, is a much more reliable source of
> information.

Yes but user may use cygwin sshd to access system and to run non-cygwin 
python.
Value of PROCESSOR_ARCHITECTURE and PROCESSOR_IDENTIFIER are output from
  platform.uname() if platform is identified as win32.
No idea for other projects.


> Corinna
>

Roumen

-- 
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

More information about the openssh-unix-dev mailing list