From owner-freebsd-security Tue Oct 24 07:29:09 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id HAA14523 for security-outgoing; Tue, 24 Oct 1995 07:29:09 -0700 Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id HAA14518 for ; Tue, 24 Oct 1995 07:29:05 -0700 Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0t7kLY-0003yeC; Tue, 24 Oct 95 07:28 PDT Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id PAA02240; Tue, 24 Oct 1995 15:28:50 +0100 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: davidg@Root.COM cc: dab@cray.com, security@freebsd.org, hartmans@mit.edu Subject: Re: telnetd fix In-reply-to: Your message of "Tue, 24 Oct 1995 07:07:43 MST." <199510241407.HAA27483@corbin.Root.COM> Date: Tue, 24 Oct 1995 15:28:50 +0100 Message-ID: <2238.814544930@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org Precedence: bulk > Dave - > > Hi; I've been thinking about the telnetd security patch that was recently > sent out. I've been watching the list of "vulnerable" environment variables > grow daily...I really think that excluding certain environment variables is t he > wrong approach to solving the problem. I think it is is much wiser to do an > inclusive test rather than an exclusive one - in other words, only allow > setting specific environment variables such as DISPLAY and TERM (perhaps thos e > two comprise a complete list - I can't think of any legitimate others). [...] Could I suggest that we add /etc/default/telnetd and that it can contain a list of allowed environment variables ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.