Date: Tue, 20 Jun 2017 15:52:29 +0000 From: Brooks Davis <brooks@freebsd.org> To: Michael Gmelin <freebsd@grem.de> Cc: Baptiste Daroussin <bapt@FreeBSD.org>, Jeremie Le Hen <jlh@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <20170620155229.GC88227@spindle.one-eyed-alien.net> In-Reply-To: <20170620155954.150dedc5@bsd64.grem.de> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> <20170620155954.150dedc5@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 20, 2017 at 03:59:54PM +0200, Michael Gmelin wrote: >=20 >=20 > On Tue, 20 Jun 2017 13:11:37 +0200 > Baptiste Daroussin <bapt@FreeBSD.org> wrote: >=20 > > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: > > > Hey folks, > > >=20 > > > I remember when I was still barely out of my teenagehood, people > > > were mostly using ssh/scp while rtools (rsh, rlogin, ... for the > > > youngsters) were left in place as a courtesy for legacy production > > > systems still relying it on them. > > >=20 > > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] > > > sorely reminds us that suid binaries are an attack surface. I don't > > > even need to mention that it's a healthy engineering practice to > > > remove unused code, both from a maintenance and security > > > perspective. > > >=20 > > > Therefore, I hereby propose to remove rtools from the base system. > > > I acknowledge this will likely cause troubles for a handful of > > > people who are still relying on it for good or bad reasons. But the > > > flipside is that the attack surface of millions of FreeBSD > > > installed out there will be reduced. > > >=20 > > > The proposed roadmap is: > > > - disable from the build on head and let it soak for one month > > > - remove rtools from the base. > > >=20 > > > What do you guys think? Any preferred color for the bikeshed? :) > > >=20 > > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt =20 > >=20 > > Yeah! > >=20 > > Is telnetd part of your list? >=20 > As long as the telnet(1) client stays in I'm all for it. Given the state of maintenance of our telnet code (FreeBSD-SA-16:36.telnetd fixed a bug fixed in heimdal telnet well over a decade ago), all the telnet code should be purged. For most uses nc will suffice. For others, we should make sure there's something in ports: either the crufty base system one or something like https://github.com/seanmiddleditch/libtelnet/ -- Brooks --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJZSUS9AAoJEKzQXbSebgfAQxEH/jaW88irmPX56Q+cEX5W0Kss 2G4jyCi2EknMgAJZ+SUw8JdpDymM6NzV2iy0yC88hyeylc8UnV4kCnDrfvu750Jm 46sxyGgxf4nwzG5AEGiyeU45PfK56fGBVzWcAbWoN6mnhMbiuQmBLclAay7A2TSh 4/zUaRlymCdnrcUczvDKhX2CGNxLho14Qydd7eryVtxxBDeKJFDg47YT6m+QZvdh wrMytNMNYglFUrUt2L3tuEYe351RDgXbj9Qlm0RVnFOFZBqcfxquXUxpC5dh4OJ2 O/9AAPZNY2FXzw7FSOJfTucUuTia9QUAqNBvsbzWMIFBY7z3H63Pr9UytmxFD1w= =eiMw -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170620155229.GC88227>