Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!mucs!liv-cs!rkl
From: rkl@anduin.cs.liverpool.ac.uk
Newsgroups: comp.sys.hp
Subject: Possible 'loophole' during an HP-UX login
Message-ID: <1990Sep4.133113.16640@anduin.cs.liverpool.ac.uk>
Date: 4 Sep 90 12:31:13 GMT
Organization: Computer Science, Liverpool University
Lines: 29

Someone brought to my attention the following "loophole" when running
/etc/profile or /etc/csh.login under HP-UX (6.2,6.5 or 7.0) on Series 300
or 800 machines:

$ telnet hostname
login: fred IFS=euq          # Yes, login can assign env. vars.
Password: <Type password)

Depending on the chars assigned to IFS, you are very likely to get
"test: argument expected" and a complete bomb out to the shell prompt.
We implement a "home-brew" quotaing check (roll on 8.0 !) at login and
this circumvents it quite easily.

How to fix it:

The IFS variable is used by ksh to determine the separators for read
and test and doesn't actually need to be defined (it will default to
space, tab and newline - $20,$09,$0A - if it isn't).
So put: unset IFS at the top of your /etc/profile and
        unsetenv IFS at the top of your /etc/csh.login.

I assume this is OK and won't wreck anything - anyone else want to
check this out ?

Richard K. Lloyd,       *** This is a MicroVAX II running VAX/VMS V5.3-1 ***
Computer Science Dept., * JANET     : RKL@UK.AC.LIV.CS.AND or              *
Liverpool University,   *             RKL@000010500211.FTP.MAIL            *
Merseyside, England,    * Internet  : RKL%and.cs.liv.ac.uk@cunyvm.cuny.edu *
Great Britain.          ***       Please note: New e-mail address !      ***