current-users: Re: bin/2905: setting environment vars from login

Subject: Re: bin/2905: setting environment vars from login
To: Greg A. Woods <woods@web.net>
From: Christian Kuhtz <kuhtz@ix.netcom.com>
List: current-users
Date: 11/13/1996 10:30:52

On Tue, 12 Nov 96 23:25:41 -0500 (EST), woods@kuma.web.net (Greg A. Woods)  
mumbled:
> > As someone proposing adding a feature, the burden of proof is on you,
> > to demonstrate that it will not open up new holes, rather than us who
> > object, to demonstrate that it will.
>
> I think that's already been done (i.e. grep the sources for suspect
> variables and add them to the list, plus provide a run-time means of
> enabling the feature in the "standard" binary).

That only fixes part of the problem.  You don't prove that the  
implementation is secure, however, you reduce the damage it can do.  You  
need to show that the library routines cannot be exploited.  In fact,  
that's something that should be done for the current implementation as  
well, unless it already has been done.

> > Given how grossly insecure it turned out to be for telnetd to accept
> > random environment variables from clients, I, for one, will take quite
> > a lot of convincing.
>
> Who ever said anything about "random environment variables"?

The proponents of this proposal, Greg.  The first proposal was to pass all  
login args as environment variables, like TERM etc.  Then, later, after  
much complaint it was suggested to limit the variables to environment  
variables named according to a vertain pattern, and later again to stuff it  
all into one environment arg.

Don't play dumb, Greg.  Your quote may not contain the exact words which  
had been used, but the functionality was implicit.

> But not a bad idea....  It doesn't provide the quick generic
> functionality the proposed solution does, but may be a very sound
> alternative for the highly paranoid.

s/highly paranoid/reasonably security conscious professional/g

> No, of course not.  However there were hints made of already logged
> incidents, but I've not yet even received indirect evidence to confirm
> them.

You can look them up yourself.

> I've been thinking like a paranoid in this industry (and I do
> mean the commercial side of this industry, not DoD/DND stuff),

Large parts of the commercial industry align themselves with DOD concepts.

--
Christian Kuhtz <kuhtz@ix.netcom.com>, office: ckuhtz@paranet.com
Network/UNIX Specialist for Paranet, Inc. http://www.paranet.com/
Supercomputing Junkie, et al               MIME/NeXTmail accepted
---- BOYCOTT INTERNET SPAM! See URL http://www.vix.com/spam/ ----