Date: Sun, 11 Feb 2001 19:34:32 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: Garance A Drosihn <drosih@rpi.edu>, Kris Kennaway <kris@obsecurity.org>, Jacques Vidrine <nectar@FreeBSD.org>, arch@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <20010211193432.A5428@mollari.cthul.hu> In-Reply-To: <Pine.NEB.3.96L.1010211222430.64780Q-100000@fledge.watson.org>; from rwatson@FreeBSD.org on Sun, Feb 11, 2001 at 10:27:19PM -0500 References: <p05010415b6ad05de601a@[128.113.24.47]> <Pine.NEB.3.96L.1010211222430.64780Q-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 10:27:19PM -0500, Robert Watson wrote: > Perhaps I'm confused here, but isn't the list above the list of > environmental variables being applied to environmental variables exported > by the authentication/login authorization system itself? I'm a bit > confused as to why those variables even need filtering, other than to > discourage module developers from colliding on use of these potentially > abused variables. Yes, this has been clarified, although I still worry about a PAM module passing in environment variables from the remote system somehow. > More on your point, however -- having a centralized list of "safe"=20 > variables, possibly classifiable by user class, would be nice. However, a > lot of the places where this list of variables is needed are places where > a user class is not available -- for example, in the telnetd->login > transition.=20 Yes, we need a way for the administrator to add environment variables which are safe or desired in the local environment. Recently telnetd was changed to filter out all but a set of known safe variables, so the only way for an administrator to do this would be to recompile telnetd. Kris --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6h1nIWry0BWjoQKURAgESAKCaH4+2o+wZ/DTgoS9bIoElDeIUdACgn2Oy YQrp7CV5sqSzsLxGOREEiQk= =BmuL -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010211193432.A5428>