A handy routine for making setuid programs safer

[Lawrence V. Cipriani]

I missed the past month of this group so this might be a repeat ...

One of the first things I do when writing setuid() C program is to
call putenv("IFS= \t\n"); very near the beginning of main().  putenv()
is the inverse of getenv() and is in the C library on my 3B computers
but it isn't documented!  Is there are reason for putenv() being
undocumented or was this an oversight?

Another more radical change would be to change the shell you use
to set the value of IFS to " \t\n" at startup and trash the value
inherited from the environment.  I did this to our version of sh and
nobody noticed!  This change protects against the IFS=/ ; dumbcommand
hack.

-- 
oo
Larry Cipriani, AT&T Networks Systems (by day) Ohio State University (by night)
Domain: lvc at tut.cis.ohio-state.edu
Path: ...!cbosgd!osu-cis!tut.cis.ohio-state.edu!lvc (yes its right)