[cyberax]

Yeah.

This part of the login process _really_ irks me. It's just badly designed, and it's a magnet for all kinds of security vulnerabilities.

One way to fix it, is to standardize on a "shim" process. So the session manager can prepare all the required information within the root context: env vars, Kerberos/OIDC tokens, PGP key socket paths, and so on. Locally configured modules can augment that with their own data.

Then it should package this information into a self-contained packet via memfd, and launch a shim process within the target user's context. The shim can then do whatever it needs, and finally exec the login shell.

So at no point, the privileged context should poke the less-privileged context directly. The privilege transition should happen only once, and it can be done within a clean fully controlled environment.