Date: Tue, 20 Jun 2017 08:03:43 -0600 From: Ian Lepore <ian@freebsd.org> To: Michael Gmelin <freebsd@grem.de>, Baptiste Daroussin <bapt@FreeBSD.org> Cc: Jeremie Le Hen <jlh@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <1497967423.81013.76.camel@freebsd.org> In-Reply-To: <20170620155954.150dedc5@bsd64.grem.de> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> <20170620155954.150dedc5@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2017-06-20 at 15:59 +0200, Michael Gmelin wrote: > > On Tue, 20 Jun 2017 13:11:37 +0200 > Baptiste Daroussin <bapt@FreeBSD.org> wrote: > > > > > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: > > > > > > Hey folks, > > > > > > I remember when I was still barely out of my teenagehood, people > > > were mostly using ssh/scp while rtools (rsh, rlogin, ... for the > > > youngsters) were left in place as a courtesy for legacy > > > production > > > systems still relying it on them. > > > > > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] > > > sorely reminds us that suid binaries are an attack surface. I > > > don't > > > even need to mention that it's a healthy engineering practice to > > > remove unused code, both from a maintenance and security > > > perspective. > > > > > > Therefore, I hereby propose to remove rtools from the base > > > system. > > > I acknowledge this will likely cause troubles for a handful of > > > people who are still relying on it for good or bad reasons. But > > > the > > > flipside is that the attack surface of millions of FreeBSD > > > installed out there will be reduced. > > > > > > The proposed roadmap is: > > > - disable from the build on head and let it soak for one month > > > - remove rtools from the base. > > > > > > What do you guys think? Any preferred color for the bikeshed? :) > > > > > > > > > > > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > > > Yeah! > > > > Is telnetd part of your list? > As long as the telnet(1) client stays in I'm all for it. > > -m > As long as ports are available for all these things, the impact of removing them should be negligible for the few still using them. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1497967423.81013.76.camel>