Subject: Re: bin/2905: setting environment vars from login
To: Greg A. Woods <firstname.lastname@example.org>
From: Christian Kuhtz <email@example.com>
Date: 11/13/1996 10:30:52
On Tue, 12 Nov 96 23:25:41 -0500 (EST), firstname.lastname@example.org (Greg A. Woods)
> > As someone proposing adding a feature, the burden of proof is on you,
> > to demonstrate that it will not open up new holes, rather than us who
> > object, to demonstrate that it will.
> I think that's already been done (i.e. grep the sources for suspect
> variables and add them to the list, plus provide a run-time means of
> enabling the feature in the "standard" binary).
That only fixes part of the problem. You don't prove that the
implementation is secure, however, you reduce the damage it can do. You
need to show that the library routines cannot be exploited. In fact,
that's something that should be done for the current implementation as
well, unless it already has been done.
> > Given how grossly insecure it turned out to be for telnetd to accept
> > random environment variables from clients, I, for one, will take quite
> > a lot of convincing.
> Who ever said anything about "random environment variables"?
The proponents of this proposal, Greg. The first proposal was to pass all
login args as environment variables, like TERM etc. Then, later, after
much complaint it was suggested to limit the variables to environment
variables named according to a vertain pattern, and later again to stuff it
all into one environment arg.
Don't play dumb, Greg. Your quote may not contain the exact words which
had been used, but the functionality was implicit.
> But not a bad idea.... It doesn't provide the quick generic
> functionality the proposed solution does, but may be a very sound
> alternative for the highly paranoid.
s/highly paranoid/reasonably security conscious professional/g
> No, of course not. However there were hints made of already logged
> incidents, but I've not yet even received indirect evidence to confirm
You can look them up yourself.
> I've been thinking like a paranoid in this industry (and I do
> mean the commercial side of this industry, not DoD/DND stuff),
Large parts of the commercial industry align themselves with DOD concepts.
Christian Kuhtz <email@example.com>, office: firstname.lastname@example.org
Network/UNIX Specialist for Paranet, Inc. http://www.paranet.com/
Supercomputing Junkie, et al MIME/NeXTmail accepted
---- BOYCOTT INTERNET SPAM! See URL http://www.vix.com/spam/ ----