Re: I-D ACTION:draft-ietf-secsh-connect-12.txt

[Simon Tatham <anakin%pobox.com@localhost>]

<Internet-Drafts%ietf.org@localhost> wrote:
> 	Title		: SSH Connection Protocol
[...]
> 	Filename	: draft-ietf-secsh-connect-12.txt

Markus has just drawn my attention to section 4.4, which I hadn't
noticed before. I've got one small comment on it:

| Typically, each machine will have a preconfigured set of variables
| that it will allow. Since uncontrolled setting of environment
| variables can be very dangerous, it is recommended that
| implementations allow setting only variables whose names have been
| explicitly configured to be allowed.

Surely uncontrolled setting of environment variables is only
dangerous if you do it while you're still running as root? I was
under the impression that all the problems in Telnet's environment
passing mechanism have come up because telnetd invokes login to
authenticate the user, so login runs as root with all the user's
environment variables available. Whereas the typical SSH server will
do the uid change itself, so it can set the environment variables
_after_ it changes uid and then the only person who can be hurt by
malicious or incompetent setting of (e.g.) LD_PRELOAD is the user
themself.

I'm sure there are some SSH servers, or some situations, in which
this won't be the case, but it seems far from obvious to me that the
above text is appropriate for every implementation or even for the
typical ones. Have I misunderstood?

If I haven't misunderstood anything, then perhaps an alternative
wording might be:

| Uncontrolled setting of environment variables in a privileged
| process can be a security hazard, so it is recommended that
| implementations either maintain a list of allowable variable names,
| or do not actually set the variables until after the server process
| has dropped its privileges.

Cheers,
Simon
-- 
Simon Tatham         "_shin_, n. An ingenious device for
<anakin%pobox.com@localhost>    finding tables and chairs in the dark."