On Fri, 6 Oct 2023 at 07:32, Zack Weinberg wrote: > I also think we ought to be talking about a very short *whitelist* of > environment > variables that are allowed to survive execve() of a setxid binary -- off > the top > of my head, TERM, LANG, LANGUAGE, LC_*, and maybe *nothing else* -- and > putting > that list into the kernel itself. > That would break at least one application I know about (snapd): https://bugs.launchpad.net/snapd/+bug/1682308 Cheers, mwh