From owner-freebsd-security Thu Oct 26 05:27:11 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id FAA04215 for security-outgoing; Thu, 26 Oct 1995 05:27:11 -0700 Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.95.74]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id FAA04210 for ; Thu, 26 Oct 1995 05:27:09 -0700 Received: (from robert@localhost) by fledge.watson.org (8.6.11/8.6.10) id IAA09174; Thu, 26 Oct 1995 08:27:03 -0400 Date: Thu, 26 Oct 1995 08:27:02 -0400 (EDT) From: Robert Watson To: David Greenman cc: gwk@cray.com, phk@critter.tfs.com, dab@berserkly.cray.com, hartmans@mit.edu, security@freebsd.org Subject: Re: telnetd fix In-Reply-To: <199510261200.FAA00275@corbin.Root.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk Maybe we should be considering a .telnetrc which can be configured to pass the variables of choice on from the incoming session to the shell.. As in, on the system being telneted TO, have a .telnetrc file something like this: ---cut--- environment DISPLAY TERM ---cut--- Or, if we wanted to get really exciting (or at least, overly complicated) have a variable that sets the imported variables :). The best solution is really just to skip environmental implementation until after login is done, passing them on in some way to the shell session. Possibly by implementing something in the (eww) manner of the DOS environmental block, passed on the child processes, but not actually used by the parent. Another option is to drop environmental variable passing.. As a person who uses their FreeBSD/X system to access a lot of Sun systems, I can't pass the variables anyway, as their telnetd doesn't pick them up. This is a kind of biased suggestion, as due to the objections to this option already, one can guess that there are users around :) On Thu, 26 Oct 1995, David Greenman wrote: > >> > At the moment, I'm seriously considering adding a switch to shut off the > >> > feature in FreeBSD's telnetd and making it the default in inetd.conf. > >> > >> YES! > >> > >> -- > >> Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. > > > >NO! > > > >I'd rather like to see a statically linked login, which would plug the > >hole without any side-effects. > > Have people not been listening? The problem I keep bringing up has to do > with environment variables used in libc. Building login static doesn't affect > this. My original message is attached. > > -DG > > To: dab@cray.com > cc: security@freebsd.org, hartmans@mit.edu > Subject: telnetd fix > From: David Greenman > Reply-To: davidg@Root.COM > -------- > Dave - > > Hi; I've been thinking about the telnetd security patch that was recently > sent out. I've been watching the list of "vulnerable" environment variables > grow daily...I really think that excluding certain environment variables is the > wrong approach to solving the problem. I think it is is much wiser to do an > inclusive test rather than an exclusive one - in other words, only allow > setting specific environment variables such as DISPLAY and TERM (perhaps those > two comprise a complete list - I can't think of any legitimate others). The > reasoning is simple: while you may catch the current set of environment > variables related to shared library spoofing, a quick search through _just_ > libc in FreeBSD reveals yet another list of worries: > > HOME > TZNAME > TZ > LANG > TMPDIR > NLSPATH > RES_OPTIONS > HOSTALIASES > LOCALDOMAIN > PATH_LOCALE > > Login(1), in particular, delays for a considerable amount of code before > destroying it's inherited environment. While some of these variables may not > be used in login(1), or may not in themselves be usable in a security attack, > the potential problems may exist for some of them. The variables related to > the resolver are troubling to start with and the path-related ones could > conceivably be used to read protected files. ...and of course there is the > issue of future vulnerability when new variables are added in the libraries or > in the program startup code (crt0). > So the bottom line is that I strongly believe that excluding certain sets > of variables isn't the right approch and I hope you'll reconsider the proposed > bugfix for telnetd. > Thanks for listening... > > -DG