On 10/19/21 01:34, Kyotaro Horiguchi wrote:
> I tend to agree to this, but seeing ssh ignoring $HOME, I'm not sure
> it's safe that we follow the variable at least when accessing
> confidentiality(?) files. Since I don't understand the exact
> reasoning for the ssh's behavior so it's just my humbole opinion.
According to https://bugzilla.mindrot.org/show_bug.cgi?id=3048#c1, it
used to be supported to install the ssh binary as setuid. A
setuid/setgid binary needs to treat all environment variables with
suspicion: if it can be convinced to write a file to $HOME with root
privileges, then a user who modifies $HOME before invoking the binary
could cause it to write to a file that the user normally couldn’t.
There’s no such concern for a binary that isn’t setuid/setgid. Anyone
with the ability to modify $HOME can be assumed to already have full
control of the user account.
Anders