Bug#4333: telnetd should be more paranoid about environment

To: submit@bugs.debian.org
Subject: Bug#4333: telnetd should be more paranoid about environment
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 29 Aug 1996 14:29:14 +0200 (MET DST)
Message-id: <[🔎] 199608291229.OAA07174@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4333@bugs.debian.org

Package: netstd
Version: 2.06-1

Right now, telnetd checks for a few dangerous environment variables.
I think it should do what telnetd in NetKit-0.08 does: only allow
a few variables which are known to be safe, and don't allow any
others.  The problem is that you never know that the list of the
dangerous variables is complete.

For example, we check for ENV, but not for BASH_ENV (mentioned in
the bash man page in one place - GNU creeping featurism strikes
again, argh), and also not for RESOLV_HOST_CONF and a few others.
NetKit-0.08 telnetd only allows DISPLAY, TERM, USER, LOGNAME and
POSIXLY_CORRECT.  I think we should do the same (ideally, the list
should be made configurable without recompiling, but that can be
done later).

Marek

Reply to:

Prev by Date: Re: dpkg-buildpackage and -source questions
Next by Date: Bug#4334: squid should not run as root by default
Previous by thread: Bug#4190: serious security hole in libc (resolver)
Next by thread: Bug#4334: squid should not run as root by default
Index(es):
- Date
- Thread