Bug#790401: openssh: Please pass the XTERM_VERSION environment variable

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 790401@bugs.debian.org
Subject: Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 29 Jun 2015 14:25:15 +0200
Message-id: <[🔎] 20150629122515.GC32461@ypig.lip.ens-lyon.fr>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 790401@bugs.debian.org
In-reply-to: <[🔎] 1435549387.17679.5.camel@scientia.net>
References: <[🔎] 20150629025331.GA28800@xvii.vinc17.org> <[🔎] 1435549387.17679.5.camel@scientia.net>

On 2015-06-29 05:43:07 +0200, Christoph Anton Mitterer wrote:
> We've had the same discussion last time when it was about LC_*.
> 
> It's generally a bad idea to change the secure default of not
> forwarding/accepting anything.

I completely disagree that passing XTERM_VERSION is not secure
(this RFE is about this particular variable, and not anything else).

FYI, this may be useful for Emacs in order to avoid silent file
corruption.

> But we shouldn't increase the list even more, just because some think
> that a certain variable may be useful to pass on.
> Otherwise we just see more and more people who have their special
> wishes and sooner or later we end up with "*".

This is a silly argument. No-one has ever asked for "*".

> Especially for terminals and shells there are special env vars galore
> (e.g. VTE, BASH, etc. pp.)

The remote shell is not necessarily the same, so that there is
no reason to pass shell-related variables by default. Perhaps
VTE_VERSION could be useful, but this isn't even clear.

> It's configurable, so why can't you just set it on those systems where
> you need it?

For ssh_config, I agree that this isn't really necessary, since the
user can have its own .ssh/config settings. But conversely, this has
no effect on the security.

But for sshd_config, it requires a change from the administrator
of the machine, and many administrators will not try to change the
defaults.

Alternatively this could be controlled by a debconf option, with two
choices:

1. One that doesn't accept any environment variable (possibly, not
   even $TERM).

2. One that accepts locale and terminal related variables, which is a
   good compromise for machines that support both shell accounts and
   specific commands.

I completely agree that one shouldn't pass too much. For instance,
GREP_OPTIONS could be very harmful for specific commands since it
modifies the standard behavior of GNU grep.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
  - From: Vincent Lefevre <vincent@vinc17.net>
- Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
Next by Date: Re: Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
Previous by thread: Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
Next by thread: Bug#790401: openssh: Please pass the XTERM_VERSION environment variable
Index(es):
- Date
- Thread