On Fri, 6 Oct 2023 at 07:32, Zack Weinberg <zack@owlfolio.org> wrote:

> I also think we ought to be talking about a very short *whitelist* of
> environment
> variables that are allowed to survive execve() of a setxid binary -- off
> the top
> of my head, TERM, LANG, LANGUAGE, LC_*, and maybe *nothing else* -- and
> putting
> that list into the kernel itself.
>

That would break at least one application I know about (snapd):
https://bugs.launchpad.net/snapd/+bug/1682308

Cheers,
mwh