On Mon, 2 Oct 2017, Chet Ramey wrote:
> On 10/1/17 7:30 PM, L A Walsh wrote: > > > Only in the case of login -- they user CAN'T set it before they login, but > > someone **could** have changed the system /etc/profile script to set OLDPWD > > to /hang (i.e. someone is behaving "maliciously"). > > Login shells rarely get OLDPWD from the environment. How about checking > OLDPWD only if it appears in the environment, which would avoid the > set-maliciously-in-etc-profile problem? > > That is consistent with the current behavior for importing PWD. The problem is not intentional sabotage of /etc/profile (there are many other ways how to sabotage /etc/profile without $OLDPWD - and protecting against all of them is futile). The problem is that $OLDPWD causes unintended activations of the automounter and unintended delays. For example /root# cd /some/automounted/directory /some/automounted/directory# cd ~ /root# /etc/init.d/mail-daemon start - now, the mail daemon inherits OLDPWD=/some/automounted/directory and every incoming email will poke this directory and activate the automounter and cause delay. Note, that when the admin starts the mail daemon, he may already forget what directory he was in before (if he keeps the console open for many days and he did some work on the automounted directory the day before), so he may not even be aware of the problem. Mikulas
