> A quick workaround is to change envarok() in telnetd/state.c as > appended. My guess is that only telnetd needs to be changed for now, > as neither rlogin nor rsh (if I remember correctly) allow the client > to pass in environment variables.
Is this environment variable sourced for SUID/SGID programs, too? If yes, there can be situations where ppl can fake address/name mappings which would be otherwise trusted (cause they ae in /etc/hosts). Removing that feature sounds like the best solution.... Greetings bernd
