Date: Tue, 20 Jun 2017 11:29:19 -0700 From: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Baptiste Daroussin <bapt@FreeBSD.org> Cc: Jeremie Le Hen <jlh@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <459BB948-15B2-4EC0-B6E1-B106ED3B150D@gmail.com> In-Reply-To: <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 20, 2017, at 4:11 AM, Baptiste Daroussin <bapt@FreeBSD.org> = wrote: >=20 > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: >> Hey folks, >>=20 >> I remember when I was still barely out of my teenagehood, people were >> mostly using ssh/scp while rtools (rsh, rlogin, ... for the >> youngsters) were left in place as a courtesy for legacy production >> systems still relying it on them. >>=20 >> Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely >> reminds us that suid binaries are an attack surface. I don't even = need >> to mention that it's a healthy engineering practice to remove unused >> code, both from a maintenance and security perspective. >>=20 >> Therefore, I hereby propose to remove rtools from the base system. I >> acknowledge this will likely cause troubles for a handful of people >> who are still relying on it for good or bad reasons. But the flipside >> is that the attack surface of millions of FreeBSD installed out there >> will be reduced. >>=20 >> The proposed roadmap is: >> - disable from the build on head and let it soak for one month >> - remove rtools from the base. >>=20 >> What do you guys think? Any preferred color for the bikeshed? :) >>=20 >>=20 >>=20 >> [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt >=20 > Yeah! >=20 > Is telnetd part of your list? PS telnet is a different ball of wax. I can create fine-grained knobs = (_SERVER vs _CLIENT). Unfortunately removing both will require a bit = more of an act of congress, but if the patches are available = (somewhere=E2=80=A6 in a ports equivalent version=E2=80=A6 I know sjg@ = maintains one), then we can just refer people to that. --Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZSWl/AAoJEPWDqSZpMIYVYGwQALS+O1OusQU/f9tgfsJNwjg4 nkdj0hUXOuI82MoFuEbMge9k6Ie5bmQCwBjHpk4+kkiSPA/5iQQPkSjBfGfYuFjC WJ8cW/0Tt+EUTyVXBFawrYr2JMYn4QH/sQKBFKwpAn5uu9U6vRV5PotzhKuZG1mt Gh38OiW3BDAVk0Fl3GNIymhLmpRZrqZrI1664rFLBuWCDj+Eef0xNNPSDceq9rYG Hb3JWxFG6FHfK3TquE1UNPj3mwxvVNhB8d6wpBnHWELoNpjrPW779VdX5SH/y9A2 g0FHPDt6stWPgBHMUgq1HM5lAUGfnbOj85ypcnwNutYCQKHvLjt9p1hxXz4TTrEQ lAgUCtf5Mq70y7V9ufRi1YmQQVaAfkgezHx1E5NL7paAp9wGyhR1XLv+HabU1Mud d1KeqVKpVoUhE+dWWQn5LQVQ1rlJrqs98dfiG6wxVrEq/It/S0TQ0l7bw60P17ef HtByWQeNEefFpwGVyCup06uRvdOZrgR4fIjt0k46EnQNO1fgiIMB6sxjQEw39kQw mkxJxjjiHH4sAwgowR0jsHIkPNDn8PYZQec+spi85QFFWbp9schw2py/JlflUjO4 bP19r4B75ikUBR3DWiARJHCHsmL8+NJwEB/lS+Wi8bpDGHByvhDojWmBFL0LN+2/ O6bPdItWH2DwhEvTSFSt =hw9H -----END PGP SIGNATURE----- --Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459BB948-15B2-4EC0-B6E1-B106ED3B150D>