Date: Tue, 20 Jun 2017 11:39:11 -0700 From: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: Jeremie Le Hen <jlh@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <AF6F6AA6-941D-4708-B572-0F7B8B2ABA6D@gmail.com> In-Reply-To: <CANCZdfoBnSugfbcMNpebb-8GgBWHrN4qFUcQ8f44Lr9xuqd8xQ@mail.gmail.com> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> <CANCZdfoBnSugfbcMNpebb-8GgBWHrN4qFUcQ8f44Lr9xuqd8xQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_EF92D226-24CE-42E6-B27C-15831B5E5403 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 20, 2017, at 11:36 AM, Warner Losh <imp@bsdimp.com> wrote: >=20 > On Tue, Jun 20, 2017 at 4:25 AM, Jeremie Le Hen <jlh@freebsd.org = <mailto:jlh@freebsd.org>> wrote: >=20 >> Hey folks, >>=20 >> I remember when I was still barely out of my teenagehood, people were >> mostly using ssh/scp while rtools (rsh, rlogin, ... for the >> youngsters) were left in place as a courtesy for legacy production >> systems still relying it on them. >>=20 >> Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely >> reminds us that suid binaries are an attack surface. I don't even = need >> to mention that it's a healthy engineering practice to remove unused >> code, both from a maintenance and security perspective. >>=20 >> Therefore, I hereby propose to remove rtools from the base system. I >> acknowledge this will likely cause troubles for a handful of people >> who are still relying on it for good or bad reasons. But the flipside >> is that the attack surface of millions of FreeBSD installed out there >> will be reduced. >>=20 >> The proposed roadmap is: >> - disable from the build on head and let it soak for one month >> - remove rtools from the base. >>=20 >> What do you guys think? Any preferred color for the bikeshed? :) >>=20 >>=20 >>=20 >> [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt >=20 >=20 > Keep the telnet client. It's still heavily used for more things than > connecting to telnetd... The rest can go as they are nitch usage that = can > be served by ports. I=E2=80=99m going to look at our options for telnetd in ports. They both = use a common source, so not building telnetd doesn=E2=80=99t give you = much RoI. -Ngie --Apple-Mail=_EF92D226-24CE-42E6-B27C-15831B5E5403 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZSWvPAAoJEPWDqSZpMIYV8z8QANKTxfiRNA0O0mM4FAjutmG6 LqUQFn98sjCx7GdnIxdrC1qKH0MztQLAXCF9c0X2gIC/pkpDyZgEA/LNBLGWDHXz xbyLk9rgOwbJiNejSrHxA9balsLBgyQ+UQ2aNVmbh43nFR3/cqdD7dTvKgru5339 4LJWrlFusiRlB15ZLoVN0xCIpcOFABZmEAM1DCAQRDX2iK+/ljC7Z4hGdMra7siN WRBvjLlcd6Up8wXFBmKxTxYHakwDltvGsKDJ96cKBZxkAewldcQ6SYuYK4u4TVuj Y754nEIl6IXLXoDAhq0VnXOsSLvf83RtJdMBd7GbOnL1Ex6HCTjdk53dndkvklKI gbtTmrBzuZQ4xDP9z2e3bSdvw6Q7XJV+BkVQrViv4Ahhk+jg4vD1gf+yrWA0QjEx Z43yl76+ALxUL7CwViO0eWuzPiV3NXIU/t2Y2dhm1hznmmSbEUmRm5BartI6+yLo Gkol0nLJdrtdftXmc2/j7rYy+9s6EG3wMijSH9BtmcbeVRXyp5Zd5nU4FOqoCMkx zJlzFa5g4g1CTtyf1ah21FlTHx+ZArFAZKpvmP4E1uCFhfKwfdnTB3J6o+an0oZX vdUVBSk+Dzh9Cnall24HevJ7tSjOuJu08ARTPV7MYI4rjnEeXl6EeybK2yAH8ANW CKxL7HgfOGvLgBAZyQr8 =qwr+ -----END PGP SIGNATURE----- --Apple-Mail=_EF92D226-24CE-42E6-B27C-15831B5E5403--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AF6F6AA6-941D-4708-B572-0F7B8B2ABA6D>