From owner-freebsd-security  Tue Oct 24 16:05:23 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id QAA10430
          for security-outgoing; Tue, 24 Oct 1995 16:05:23 -0700
Received: from Root.COM (implode.Root.COM [198.145.90.17])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id QAA10425
          for <security@freebsd.org>; Tue, 24 Oct 1995 16:05:18 -0700
Received: from corbin.Root.COM (corbin [198.145.90.50]) by Root.COM (8.6.12/8.6.5) with ESMTP id QAA06820; Tue, 24 Oct 1995 16:05:15 -0700
Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id QAA27606; Tue, 24 Oct 1995 16:01:09 -0700
Message-Id: <199510242301.QAA27606@corbin.Root.COM>
To: dab@berserkly.cray.com (David A. Borman)
cc: hartmans@mit.edu, security@freebsd.org
Subject: Re: telnetd fix 
In-reply-to: Your message of "Tue, 24 Oct 95 10:23:48 CDT."
             <9510241523.AA05306@frenzy.cray.com> 
From: David Greenman <davidg@Root.COM>
Reply-To: davidg@Root.COM
Date: Tue, 24 Oct 1995 16:01:09 -0700
Sender: owner-security@freebsd.org
Precedence: bulk

>It's not that simple.  The whole point of the environment option is
>to allow the passing of arbitrary environment variables, because you
>don't know what poeple may want to pass through.  Changing telnetd to only
>allow an enumerated list of variables through means that if I have some
>private application that looks at an environement variable, and I want
>to propogate that variable, I then have to go to the administrator and
>ask that my personal variable be added to the list.

   What can I say? It's a feature that has serious security ramifications that
likely can't be completely worked around in all cases.

>The current fix does the minimal amount of work needed to solve the
>immediate problem, and a better long-term solution can be developed
>without the pressure of getting out a fix ASAP.

   I remain unconvinced that the list of envirnoment variables in the proposed
patch is complete. After looking at the telnet manpage, I understand better
the desire to keep the original functionality of being able to pass arbitrary
variables, but honestly, I think this feature is only marginally useful for the
generic case. Even in the case of DISPLAY, I have to add it to my standard
.login because there are too many systems that I deal with that don't support
telnet environment passing option.
   At the moment, I'm seriously considering adding a switch to shut off the
feature in FreeBSD's telnetd and making it the default in inetd.conf.

-DG