From owner-freebsd-arch@freebsd.org Tue Jun 20 18:29:21 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C79ADD9EDC5 for ; Tue, 20 Jun 2017 18:29:21 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com [IPv6:2607:f8b0:400e:c00::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8ED9A6AC3B; Tue, 20 Jun 2017 18:29:21 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: by mail-pf0-x244.google.com with SMTP id d5so25087812pfe.1; Tue, 20 Jun 2017 11:29:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Twf1+2G6wvO1HuVAQlvOYlizGsjqFRiyKA7/dzpj3eA=; b=i8LHrskDnAXD5us3EdJl3Rqh79fV8vM8k1fMYxPr2ygjt9sKWeTTcV1yVOH70seAHZ lFM6e8Zn8WlyFcdxgruL7wq5rkK06oWy1IQ4I9+bi4ZTavwrZBipkL3h346H4mAl6guW nPX3i5fNP8wBSOg63TZnEqZECoBQVKwIK1ftGOdF3FkXDYKF7KcZ8klC9ssr2QvKDXpR hcs6MCDy+JPogtAW4T+WVhun5Ft8pzPQm/j++6doRnjIlOFubHSyVpU6T4CTI/OmH8wz Rod4APn3fNXOKK4eURNjBLGG7WAbt/FjnlnN5U1tR3R+T9qxHhCdZywiiPtuuuGkEN8B vZPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Twf1+2G6wvO1HuVAQlvOYlizGsjqFRiyKA7/dzpj3eA=; b=mqL3l5cE7J/A7vFbSE2Msw4jTYFfKElICm+7ldaoIfSmLmT9a3yp2W4ddciTwLlr8+ F/KrGT3uyCx0vxpwwiyv5cLaI6EYtovf78jwRcJ+KZMJElMSu8VT5cSh0pHBVRn7MrQl SzSQ4d3OlZ+nXEsX0seHfDuVssXJ7mjVqDoDeQ4P3SOiRFMsL6fcaNfEOsh0G2DGfo6+ 8fr8FI0zW+/MPbgYqB5ESPsdvduP4rvGGNoLylj6uxCdffMA03Dd9SnF4Y9TVuk+ER02 yaQ5sFX7/s/Jt0UChAJwXlYdX+OS8OFsqSqZ8AOWb3WHjhya1PHg19R+Yww/d8e2bpoK 4CyA== X-Gm-Message-State: AKS2vOzsk5XZgQic1ftHaiBEvfPC1LlUJ26/EgIlbMCEMIzpmCMxfzqS 5EXdMbFC1HaPrivf1v4= X-Received: by 10.84.128.67 with SMTP id 61mr38219384pla.246.1497983360862; Tue, 20 Jun 2017 11:29:20 -0700 (PDT) Received: from fuji-wireless.local (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id i27sm16811618pfk.1.2017.06.20.11.29.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Jun 2017 11:29:20 -0700 (PDT) From: "Ngie Cooper (yaneurabeya)" Message-Id: <459BB948-15B2-4EC0-B6E1-B106ED3B150D@gmail.com> Content-Type: multipart/signed; boundary="Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: rtools were deemed almost unused 15 years ago... Date: Tue, 20 Jun 2017 11:29:19 -0700 In-Reply-To: <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> Cc: Jeremie Le Hen , freebsd-arch@freebsd.org To: Baptiste Daroussin References: <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> X-Mailer: Apple Mail (2.3273) X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 18:29:21 -0000 --Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 20, 2017, at 4:11 AM, Baptiste Daroussin = wrote: >=20 > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: >> Hey folks, >>=20 >> I remember when I was still barely out of my teenagehood, people were >> mostly using ssh/scp while rtools (rsh, rlogin, ... for the >> youngsters) were left in place as a courtesy for legacy production >> systems still relying it on them. >>=20 >> Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely >> reminds us that suid binaries are an attack surface. I don't even = need >> to mention that it's a healthy engineering practice to remove unused >> code, both from a maintenance and security perspective. >>=20 >> Therefore, I hereby propose to remove rtools from the base system. I >> acknowledge this will likely cause troubles for a handful of people >> who are still relying on it for good or bad reasons. But the flipside >> is that the attack surface of millions of FreeBSD installed out there >> will be reduced. >>=20 >> The proposed roadmap is: >> - disable from the build on head and let it soak for one month >> - remove rtools from the base. >>=20 >> What do you guys think? Any preferred color for the bikeshed? :) >>=20 >>=20 >>=20 >> [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt >=20 > Yeah! >=20 > Is telnetd part of your list? PS telnet is a different ball of wax. I can create fine-grained knobs = (_SERVER vs _CLIENT). Unfortunately removing both will require a bit = more of an act of congress, but if the patches are available = (somewhere=E2=80=A6 in a ports equivalent version=E2=80=A6 I know sjg@ = maintains one), then we can just refer people to that. --Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZSWl/AAoJEPWDqSZpMIYVYGwQALS+O1OusQU/f9tgfsJNwjg4 nkdj0hUXOuI82MoFuEbMge9k6Ie5bmQCwBjHpk4+kkiSPA/5iQQPkSjBfGfYuFjC WJ8cW/0Tt+EUTyVXBFawrYr2JMYn4QH/sQKBFKwpAn5uu9U6vRV5PotzhKuZG1mt Gh38OiW3BDAVk0Fl3GNIymhLmpRZrqZrI1664rFLBuWCDj+Eef0xNNPSDceq9rYG Hb3JWxFG6FHfK3TquE1UNPj3mwxvVNhB8d6wpBnHWELoNpjrPW779VdX5SH/y9A2 g0FHPDt6stWPgBHMUgq1HM5lAUGfnbOj85ypcnwNutYCQKHvLjt9p1hxXz4TTrEQ lAgUCtf5Mq70y7V9ufRi1YmQQVaAfkgezHx1E5NL7paAp9wGyhR1XLv+HabU1Mud d1KeqVKpVoUhE+dWWQn5LQVQ1rlJrqs98dfiG6wxVrEq/It/S0TQ0l7bw60P17ef HtByWQeNEefFpwGVyCup06uRvdOZrgR4fIjt0k46EnQNO1fgiIMB6sxjQEw39kQw mkxJxjjiHH4sAwgowR0jsHIkPNDn8PYZQec+spi85QFFWbp9schw2py/JlflUjO4 bP19r4B75ikUBR3DWiARJHCHsmL8+NJwEB/lS+Wi8bpDGHByvhDojWmBFL0LN+2/ O6bPdItWH2DwhEvTSFSt =hw9H -----END PGP SIGNATURE----- --Apple-Mail=_3E42F792-0684-4D37-8C74-DB00922BBFC3--