> >  - telnetd: block the ENV variable from being transferred, as in some
 > >      circumstances this may lead to unexpected execution of commands.
 > >      (ENV points bash and other shells at command text to execute.)
 > 
 > I have applied this but not committed it.  Any objections?

Better block BASH_ENV too (gnu featurism...)

For Linux I went over to explicitly allowing only a certain small
number of variables through. This was because we discovered a bunch of
neato variables you could set in libc to do stuff like change the NIS
domain. <sigh>

You may want to do this too, although it's probably not as necessary.

-- 
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381