[6122] in Kerberos
Re: Telnet vulnerability--shared library loading
daemon@ATHENA.MIT.EDU (Casper H.S. Dik - Network Security)
Fri Nov 3 17:08:14 1995
To: kerberos@MIT.EDU
Date: 3 Nov 1995 08:49:45 GMT
From: Casper.Dik@Holland.Sun.COM (Casper H.S. Dik - Network Security Engineer)
besancon@excalibur.ens.fr (Thierry Besancon) writes:
>Would you mind telling us what introducing environment variable
>passing was useful for in alpha/beta ? At this time, EVERYBODY
>concerned with security knows how shared libraries can be
>dangerous. So what's the use of playing with fire ???
Environment variable passing by telnet/telnetd is a feature that was
copied from the standard, enhanced telnet sources. Sun had been
using a pretty ancient telnet/telnetd pair before and it was felt
that the implementation needed to be upgraded.
Since the implementation was copied, an oversight (passing LD_* variables)
was easily made.
Environment variable passing is still implemented in 2.5 FCS, but not
all environment variables are accepted.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
