Collin Funk <[email protected]> writes: >> I don't think the proposal to dump the entire protocol into syslog >> seem like a great idea either, which would require substantial >> sanitization. Instead for Debian I went with a relatively simple >> change from using «/tmp/telnet-debug» to «/run/telnet/debug.<PID>», >> and made telnetd print the pathname used on the telnet session. >> >> I suppose an alternative could be to let the telnetd user specify a >> filename to use. But the /run switch seems good enough to me. > > I don't like the syslog idea either. > > I kind of feel like the option should just be removed. I can't find any > users of 'telnetd --debug' or 'telnetd -D' on GitHub or Debian code > search. If someone needs to debug telnet Wireshark is available pretty > much everywhere.
I think it would be fine to just remove this (anti-)feature. However, ftpd supports --debug to send things to syslog. Is it is similarily vulnerable? Assuming that attackers can add '--debug' to telnetd invocation, and also be able to read syslog content, doesn't seem all that reasonable to me. /Simon
signature.asc
Description: PGP signature
