Hey. I should add, that there was: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136
which is about a security hole that involved reading the user specific environment file. I couldn't find any in-depth analysis of that or some definite information on whether this was fixed or not. Cause in principle, if done right of course, it would sound strange if this could be used for an attack, when any user could also just set such vars in .profile/etc. . Also, e.g. Debian's /etc/pam.d/sshd would still read the user env file per default (so wouldn't that be affected from any security hole, too?) See perhaps also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989919#20 Thanks, Chris.
