You (Bernd Eckenfels) wrote: > > A quick workaround is to change envarok() in telnetd/state.c as > > appended. My guess is that only telnetd needs to be changed for now, > > as neither rlogin nor rsh (if I remember correctly) allow the client > > to pass in environment variables. > > Is this environment variable sourced for SUID/SGID programs, too? If yes,
Yep. If you have shadow, try this: RESOLV_HOST_CONF=/etc/shadow ping localhost > there can be situations where ppl can fake address/name mappings which would > be otherwise trusted (cause they ae in /etc/hosts). Removing that feature > sounds like the best solution.... That would be HOST_ALIASES, and that's on just about every BSD derived system on the planet. (You can have fun with it though). That doesn't look dangerous, btw; you can't change the reverse mappings. This should be fixed in the library, I think. I see no real reason for justifying these environment variables; nobody seemed to know they were there in the first place (still, I think the telnet trick _was_ kind of neat). Mike. -- Miquel van | Cistron Internet Services -- Alphen aan den Rijn. Smoorenburg, | mailto:[EMAIL PROTECTED] http://www.cistron.nl/ [EMAIL PROTECTED] | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)
