current-users: Re: bin/2905: setting environment vars from login

Subject: Re: bin/2905: setting environment vars from login
To: None <current-users@NetBSD.ORG>
From: Greg A. Woods <woods@kuma.web.net>
List: current-users
Date: 11/12/1996 23:25:41

[ On Thu, November 7, 1996 at 03:49:40 (-0500), der Mouse wrote: ]
> Subject: Re: bin/2905: setting environment vars from login
>
> As someone proposing adding a feature, the burden of proof is on you,
> to demonstrate that it will not open up new holes, rather than us who
> object, to demonstrate that it will.

I think that's already been done (i.e. grep the sources for suspect
variables and add them to the list, plus provide a run-time means of
enabling the feature in the "standard" binary).

> Given how grossly insecure it turned out to be for telnetd to accept
> random environment variables from clients, I, for one, will take quite
> a lot of convincing.

Who ever said anything about "random environment variables"?

> This sounds as though everyone could be satisifed by adding the
> proposed code to login, but requiring a flag to enable it.  If so, the
> only prices I see are (a) a slight increment in human time required for
> maintenance of the result and (b) the possible increment in insecurity
> on systems where the admin turns this flag on.  (b) doesn't bother me
> and (a) strikes me as small enough to be ignored, probably less than
> the human time wasted by this silly thread so far.

Whew!  Yes!  Thanks!

> I'd still like to see everything after the username stuffed into a
> LOGIN_ARGS variable, but that's another fettle of kish entirely.

But not a bad idea....  It doesn't provide the quick generic
functionality the proposed solution does, but may be a very sound
alternative for the highly paranoid.

> It sounds as though about the only thing you'll accept as demonstration
> here is widespread implementation followed by a rash of breakins
> through that medium and the resulting CERT advisory.

No, of course not.  However there were hints made of already logged
incidents, but I've not yet even received indirect evidence to confirm
them.  I've been thinking like a paranoid in this industry (and I do
mean the commercial side of this industry, not DoD/DND stuff), for quite
a few years now and I can't think of any obvious exploits that might be
possible.  Which isn't to say I conclude there are no exploits -- I'm
quite willing to listen to any ideas and work to prevent them.

-- 
							Greg A. Woods

+1 416 443-1734			VE3TCP			robohack!woods
Planix, Inc. <woods@planix.com>; Secrets Of The Weird <woods@weird.com>