Re: I-D ACTION:draft-ietf-secsh-connect-12.txt

To: "Darren J Moffat" <Darren.Moffat%Sun.COM@localhost>, "Simon Tatham" <anakin%pobox.com@localhost>
Subject: Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
From: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
Date: Wed, 21 Nov 2001 10:00:35 -0700

Darren Moffat wrote:
> Simon Tatham wrote:
> 
> > If I haven't misunderstood anything, then perhaps an alternative
> > wording might be:
> > 
> > | Uncontrolled setting of environment variables in a privileged
> > | process can be a security hazard, so it is recommended that
> > | implementations either maintain a list of allowable variable names,
> > | or do not actually set the variables until after the server process
> > | has dropped its privileges.
> 
> 
> I think that wording is much more appropriate, since it actually
> describes the problem as well as giving solutions.

I prefer this wording as well -- unless people
feel we can remove it completely.

It seems acceptable to have a implementation note
to me.

- Joseph

References:
- Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
  - From: Simon Tatham
- Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
  - From: Darren J Moffat

Prev by Date: Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
Next by Date: des-cbc cipher
Previous by Thread: Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
Next by Thread: Re: I-D ACTION:draft-ietf-secsh-connect-12.txt
Indexes:

Home | Main Index | Thread Index | Old Index