TZ environment variable

Garrett Wollman wollman at
Mon May 9 20:05:49 UTC 2005

<<On Mon, 09 May 2005 12:23:24 -0700, Paul Eggert <eggert at CS.UCLA.EDU> said:

> "Olson, Arthur David (NIH/NCI)" <olsona at> writes:
>> If the TZ environment variable needs to be checked for mischief-making time
>> zone abbreviations, the same check needs to be applied to values derived
>> from time zone files

> Yes, quite right.  Presumably the same check should be applied to each.

My argument that the correct way to handle this would be to expect
security-sensitive applications to do:


...which they ought to do anyway.  A slight improvement, for those
systems which implement issetugid(), would be for the library routines
to ignore the setting of TZ if this returns true.


More information about the tz mailing list