Date: Tue, 24 Oct 1995 15:28:50 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: davidg@Root.COM Cc: dab@cray.com, security@freebsd.org, hartmans@mit.edu Subject: Re: telnetd fix Message-ID: <2238.814544930@critter.tfs.com> In-Reply-To: Your message of "Tue, 24 Oct 1995 07:07:43 MST." <199510241407.HAA27483@corbin.Root.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
> Dave - > > Hi; I've been thinking about the telnetd security patch that was recently > sent out. I've been watching the list of "vulnerable" environment variables > grow daily...I really think that excluding certain environment variables is t he > wrong approach to solving the problem. I think it is is much wiser to do an > inclusive test rather than an exclusive one - in other words, only allow > setting specific environment variables such as DISPLAY and TERM (perhaps thos e > two comprise a complete list - I can't think of any legitimate others). [...] Could I suggest that we add /etc/default/telnetd and that it can contain a list of allowed environment variables ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2238.814544930>