[...]
> tcsh and some other shells i remember don't allow USER and LOGNAME
> modifying. :\
> Anyways here's a rough patch:
[...]
> 3) possibly get the programmers of bash to fix it so USER and
> LOGNAME can't be modified unless it's super-user.
This isn't a fix. Anyone who could understand this vulnerability well
enough to exploit it would also understand how to use execve(2). Security
doesn't come from user programs like the shell. It comes from the OS.
(One hopes it does, at least.)
In this case, the fix is to realize that environment variables don't
contain trusted information, and to bear this in mind while rewriting the
broken passwd commands. In a way, the act of "fixing" shells to paper
over this fact has the potential to do more damage than good, since it
might lull some programmers into believing that $USER really _is_ to be
trusted. It certainly won't stop any attacker with the least bit of
determination.
-- Dan