Date: Wed, 25 Oct 95 10:00:43 -0500 From: dab@berserkly.cray.com (David Borman) To: davidg@Root.COM Cc: hartmans@mit.edu, security@freebsd.org Subject: Re: telnetd fix Message-ID: <9510251500.AA00695@berserkly.cray.com>
next in thread | raw e-mail | index | archive | help
> From root@corbin.Root.COM Tue Oct 24 18:02:46 1995 > To: dab@berserkly.cray.com (David A. Borman) > Cc: hartmans@mit.edu, security@freebsd.org > Subject: Re: telnetd fix > From: David Greenman <davidg@Root.COM> > Reply-To: davidg@Root.COM > Date: Tue, 24 Oct 1995 16:01:09 -0700 > > >It's not that simple. The whole point of the environment option is > >to allow the passing of arbitrary environment variables, because you > >don't know what poeple may want to pass through. Changing telnetd to only > >allow an enumerated list of variables through means that if I have some > >private application that looks at an environement variable, and I want > >to propogate that variable, I then have to go to the administrator and > >ask that my personal variable be added to the list. > > What can I say? It's a feature that has serious security ramifications that > likely can't be completely worked around in all cases. > > >The current fix does the minimal amount of work needed to solve the > >immediate problem, and a better long-term solution can be developed > >without the pressure of getting out a fix ASAP. > > I remain unconvinced that the list of envirnoment variables in the proposed > patch is complete. After looking at the telnet manpage, I understand better > the desire to keep the original functionality of being able to pass arbitrary > variables, but honestly, I think this feature is only marginally useful for the > generic case. Even in the case of DISPLAY, I have to add it to my standard > .login because there are too many systems that I deal with that don't support > telnet environment passing option. > At the moment, I'm seriously considering adding a switch to shut off the > feature in FreeBSD's telnetd and making it the default in inetd.conf. > > -DG I am currently testing new code in telnetd that will allow: 1) Only a specific list of "safe" variables will go directly into the environment. 2) All other variables are encoded in such a way to be "safe"; however after the user has logged in they will need to run a program to make those environment variables accessable. 3) Provide a configuration file for telnetd to custom tailor the "safe" variable list, along with other configuration information. Be patient, the quick patches solve the immediate problem, and provide a little breathing room for working out a much better long term solution to the problem. I'll provide more details once I actually have working code. -David Borman, dab@cray.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9510251500.AA00695>