Date: Tue, 24 Oct 1995 16:01:09 -0700 From: David Greenman <davidg@Root.COM> To: dab@berserkly.cray.com (David A. Borman) Cc: hartmans@mit.edu, security@freebsd.org Subject: Re: telnetd fix Message-ID: <199510242301.QAA27606@corbin.Root.COM> In-Reply-To: Your message of "Tue, 24 Oct 95 10:23:48 CDT." <9510241523.AA05306@frenzy.cray.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>It's not that simple. The whole point of the environment option is >to allow the passing of arbitrary environment variables, because you >don't know what poeple may want to pass through. Changing telnetd to only >allow an enumerated list of variables through means that if I have some >private application that looks at an environement variable, and I want >to propogate that variable, I then have to go to the administrator and >ask that my personal variable be added to the list. What can I say? It's a feature that has serious security ramifications that likely can't be completely worked around in all cases. >The current fix does the minimal amount of work needed to solve the >immediate problem, and a better long-term solution can be developed >without the pressure of getting out a fix ASAP. I remain unconvinced that the list of envirnoment variables in the proposed patch is complete. After looking at the telnet manpage, I understand better the desire to keep the original functionality of being able to pass arbitrary variables, but honestly, I think this feature is only marginally useful for the generic case. Even in the case of DISPLAY, I have to add it to my standard .login because there are too many systems that I deal with that don't support telnet environment passing option. At the moment, I'm seriously considering adding a switch to shut off the feature in FreeBSD's telnetd and making it the default in inetd.conf. -DG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510242301.QAA27606>