Date: Tue, 20 Jun 2017 19:17:44 +0200 From: Joel Dahl <joel@vnode.se> To: Michael Gmelin <freebsd@grem.de> Cc: Baptiste Daroussin <bapt@FreeBSD.org>, Jeremie Le Hen <jlh@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <20170620171744.GA72667@ymer.vnode.se> In-Reply-To: <20170620155954.150dedc5@bsd64.grem.de> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> <20170620155954.150dedc5@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 20, 2017 at 03:59:54PM +0200, Michael Gmelin wrote: > > > On Tue, 20 Jun 2017 13:11:37 +0200 > Baptiste Daroussin <bapt@FreeBSD.org> wrote: > > > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: > > > Hey folks, > > > > > > I remember when I was still barely out of my teenagehood, people > > > were mostly using ssh/scp while rtools (rsh, rlogin, ... for the > > > youngsters) were left in place as a courtesy for legacy production > > > systems still relying it on them. > > > > > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] > > > sorely reminds us that suid binaries are an attack surface. I don't > > > even need to mention that it's a healthy engineering practice to > > > remove unused code, both from a maintenance and security > > > perspective. > > > > > > Therefore, I hereby propose to remove rtools from the base system. > > > I acknowledge this will likely cause troubles for a handful of > > > people who are still relying on it for good or bad reasons. But the > > > flipside is that the attack surface of millions of FreeBSD > > > installed out there will be reduced. > > > > > > The proposed roadmap is: > > > - disable from the build on head and let it soak for one month > > > - remove rtools from the base. > > > > > > What do you guys think? Any preferred color for the bikeshed? :) > > > > > > > > > > > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > > Yeah! > > > > Is telnetd part of your list? > > As long as the telnet(1) client stays in I'm all for it. +1. Please keep the telnet client. It's something I expect be part of the base system utilities. I use it all the time. -- Joel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170620171744.GA72667>