On 2015-06-29 05:43:07 +0200, Christoph Anton Mitterer wrote: > We've had the same discussion last time when it was about LC_*. > > It's generally a bad idea to change the secure default of not > forwarding/accepting anything.
I completely disagree that passing XTERM_VERSION is not secure (this RFE is about this particular variable, and not anything else). FYI, this may be useful for Emacs in order to avoid silent file corruption. > But we shouldn't increase the list even more, just because some think > that a certain variable may be useful to pass on. > Otherwise we just see more and more people who have their special > wishes and sooner or later we end up with "*". This is a silly argument. No-one has ever asked for "*". > Especially for terminals and shells there are special env vars galore > (e.g. VTE, BASH, etc. pp.) The remote shell is not necessarily the same, so that there is no reason to pass shell-related variables by default. Perhaps VTE_VERSION could be useful, but this isn't even clear. > It's configurable, so why can't you just set it on those systems where > you need it? For ssh_config, I agree that this isn't really necessary, since the user can have its own .ssh/config settings. But conversely, this has no effect on the security. But for sshd_config, it requires a change from the administrator of the machine, and many administrators will not try to change the defaults. Alternatively this could be controlled by a debconf option, with two choices: 1. One that doesn't accept any environment variable (possibly, not even $TERM). 2. One that accepts locale and terminal related variables, which is a good compromise for machines that support both shell accounts and specific commands. I completely agree that one shouldn't pass too much. For instance, GREP_OPTIONS could be very harmful for specific commands since it modifies the standard behavior of GNU grep. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
