[1219] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] libc 5.4.7

daemon@ATHENA.MIT.EDU (David Holland)
Sun Oct 13 12:57:03 1996

From: David Holland <dholland@eecs.harvard.edu>
To: rosc@fbn.globalent.net (Roscinante)
Date: Wed, 9 Oct 1996 17:21:58 -0400 (EDT)
Cc: dholland@eecs.harvard.edu, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.95.961009143040.1022D-100000@fbn.globalent.net> from "Roscinante" at Oct 9, 96 02:35:35 pm

 > >  > Would you be willing to patch that up?
 > 
 > > IMNSHO tty snooping is a violation of user privacy. I don't want any
 > > part of it, so, frankly, telnetsnoopd can fend for itself. It sounds
 > > like this is just another good reason not to use it...
 > 
 > Are there patches to the original telnet/d at least??  I don't mean
 > to question anyone's morality, but I do use ttysnoop to -help- show
 > my users how to do things, and have occassionally snooped people
 > cracking... That's really unrelated to wanting to patch the src so
 > its not an easy crack tho...

You need to patch it to block all environment variables except for
those known to be safe (which is basically limited to a half dozen or
so you can find in the current telnetd source.)

I don't have telnetd diffs; you can make them with old netkit sources
(judging from the date on the rcsid you posted, you need to go *way*
back) but they're enormous. Which, as you might guess, is why I don't
have them.

Frankly, if what you want is a gadget for helping users, you probably
want something that works more like script(1), and rather than
expending effort on lost causes like telnetsnoopd you should spend the
same time hacking script.

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

home help back first fref pref prev next nref lref last post