JFTR PermitUserEnvironment is nowadays per default disabled. You should also mak... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mrud on Feb 5, 2012 \| parent \| context \| favorite \| on: /bin/false is not security JFTR PermitUserEnvironment is nowadays per default disabled. You should also make sure that AcceptEnv is sane (e.g. just accept LC_* and LANG) But even if you use a static linked /bin/false you must make sure that you disable PermitUserEnvironment as sh(1) is executed if ~/.ssh/rc exists and sh is typically dynamically linked

cperciva on Feb 5, 2012 [–]

It's disabled by default on most systems, but I wouldn't want to assume that Crazy Chimpanzee Linux doesn't do something stupid, or that no sysadmin flips that option on without understanding the consequences.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact