From owner-freebsd-arch@freebsd.org Tue Jun 20 18:36:38 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5447D9F0C1 for ; Tue, 20 Jun 2017 18:36:38 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B7D06E11C for ; Tue, 20 Jun 2017 18:36:38 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-it0-x232.google.com with SMTP id b205so19362159itg.1 for ; Tue, 20 Jun 2017 11:36:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=fpUPrIDlJ8R1wfwK9BrPnoCAolJGOxG7S3hajFL8yEQ=; b=OTQsnt4oYybHer3GC7sMW/juaClFC39RakFvwNOuGWt+IWD4W0WdoSdGseAOm+rciS jJakzmtG/DeEMrVdO5PxVn0kHiUhNjJoQa6NLremU/wkOMN4BlTqxdGjJ3IT8IkoL7nL GHxH4p3MznSznR6R5MpMwlMNe+kjZSIXhb2s++4kRPve8ltmNaGqqUByvNLKWLdh/9gj JKhzos8CDabCuquDI+7qLjm8+/DeiruvqjizQHCsOTgGONcPMk/aaYuDPMlLCscsjRAS 2inwIEmrkOtPepbmqvlYWbhcTvBfa6WIVl+4WWtWGJDPKfFioKMWm39vOZk21+WLCLsw vteg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=fpUPrIDlJ8R1wfwK9BrPnoCAolJGOxG7S3hajFL8yEQ=; b=FfE2NmZR3WrVMWrAunl5L4MzMCFa3ggbI8eHH2LPRWgrOppOLbTp9yKIlEwz+HchCw SkZTF/6GFys2mULUQ01d3eWS86BSV03dVMXtUAFrjNJlIr5cYQ5VdwZ1sqn2RwaW8BZN hJjGqt2XUHGNTNLiO4oXQ3Z154bad47C+1PwoNvk86uytkglD0AaahQTkQpwZ5J1tsk2 wNTMqR9rlj9Xs92hb/vvGai8hoteHLSQ8CdeJ6QFcI4eQ8Ib74254PCbYl6qpz4MaiyW 8fl8hPSava0x+O7YDEvv8rgZVX1gufSecpFvqUHaAfKPc2CDc4LjKQ0igxiH7AjWCgGK +3hQ== X-Gm-Message-State: AKS2vOzJaIv8SksDkMd1vd/wOxn4LD/v5w8xgRtNPtIBCGe7Pmjt6LtZ 8Ea5wrXW9sPM740EwK+3WBb81K9TjXJN X-Received: by 10.36.73.131 with SMTP id e3mr4995483itd.0.1497983797853; Tue, 20 Jun 2017 11:36:37 -0700 (PDT) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 10.79.192.69 with HTTP; Tue, 20 Jun 2017 11:36:37 -0700 (PDT) X-Originating-IP: [12.27.65.223] In-Reply-To: References: From: Warner Losh Date: Tue, 20 Jun 2017 12:36:37 -0600 X-Google-Sender-Auth: 8Lc0VwXf_KuPxBBzEx-NSGV41z4 Message-ID: Subject: Re: rtools were deemed almost unused 15 years ago... To: Jeremie Le Hen Cc: "freebsd-arch@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 18:36:38 -0000 On Tue, Jun 20, 2017 at 4:25 AM, Jeremie Le Hen wrote: > Hey folks, > > I remember when I was still barely out of my teenagehood, people were > mostly using ssh/scp while rtools (rsh, rlogin, ... for the > youngsters) were left in place as a courtesy for legacy production > systems still relying it on them. > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely > reminds us that suid binaries are an attack surface. I don't even need > to mention that it's a healthy engineering practice to remove unused > code, both from a maintenance and security perspective. > > Therefore, I hereby propose to remove rtools from the base system. I > acknowledge this will likely cause troubles for a handful of people > who are still relying on it for good or bad reasons. But the flipside > is that the attack surface of millions of FreeBSD installed out there > will be reduced. > > The proposed roadmap is: > - disable from the build on head and let it soak for one month > - remove rtools from the base. > > What do you guys think? Any preferred color for the bikeshed? :) > > > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Keep the telnet client. It's still heavily used for more things than connecting to telnetd... The rest can go as they are nitch usage that can be served by ports. Warner