From owner-freebsd-arch@freebsd.org Tue Jun 20 11:11:38 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8237ED95BBA for ; Tue, 20 Jun 2017 11:11:38 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 622EF7D803; Tue, 20 Jun 2017 11:11:38 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by freefall.freebsd.org (Postfix, from userid 1235) id A80ECD272; Tue, 20 Jun 2017 11:11:37 +0000 (UTC) Date: Tue, 20 Jun 2017 13:11:37 +0200 From: Baptiste Daroussin To: Jeremie Le Hen Cc: freebsd-arch@freebsd.org Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <20170620111136.fz5ovfa4imm3p4hj@ivaldir.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="43e26ouhtnyr6c2w" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 11:11:38 -0000 --43e26ouhtnyr6c2w Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote: > Hey folks, >=20 > I remember when I was still barely out of my teenagehood, people were > mostly using ssh/scp while rtools (rsh, rlogin, ... for the > youngsters) were left in place as a courtesy for legacy production > systems still relying it on them. >=20 > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely > reminds us that suid binaries are an attack surface. I don't even need > to mention that it's a healthy engineering practice to remove unused > code, both from a maintenance and security perspective. >=20 > Therefore, I hereby propose to remove rtools from the base system. I > acknowledge this will likely cause troubles for a handful of people > who are still relying on it for good or bad reasons. But the flipside > is that the attack surface of millions of FreeBSD installed out there > will be reduced. >=20 > The proposed roadmap is: > - disable from the build on head and let it soak for one month > - remove rtools from the base. >=20 > What do you guys think? Any preferred color for the bikeshed? :) >=20 >=20 >=20 > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Yeah! Is telnetd part of your list? Best regards, Bapt --43e26ouhtnyr6c2w Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgOTj3suS2urGXVU3Y4mL3PG3PloFAllJAuYACgkQY4mL3PG3 PlpAmA/+Jt2Zznwug72P15ZJUjTEYh1CmYXrVrKlBuNH6Bv3quau5iaVUs8dqZca PRVu8FCXnFLlQ6/n3UzxZblxfwFVbFHoQMcLPdVTV/Jj+u2BfpctRNnyTsTrm7BZ 5+KI+vS/VxqxCCVz4zCKaESQGQwfToXCoJxWf2GPsTnVemjtjtw9aZAITvO3XdUV 46lKHB05BI65Cxqm6FGl9cQ5F4h8O3ettr5HHfnQqk2fWXb2jHiH4sm2uxvzS0t0 A56ng9HoO++YQpHqQWzdVbuQsfmDopZq9DbsIjEHR516XKBhteFO//70cc52gAoL rYW+A/57QVZlxh32+ajt02I7Jr1kAyAMj0HNRmTOHktPxYSo/6cQyLcOi4e9U+DC 4hzA6L+AS870AX3pauROgyvSxR1KPr/YszWAbOTg0gQXFTV11UvkCtwfk5nVTh9F zArkzf/mpu9u0Ix8KKVaL5GTJCClPPOSDzhj5mHn97tlglXbdDx8nDMrSYrXJLgi odK+y7l9GU7X8PwkCW5sdzU0wkoDRgulWSQhX8oMiP8xBRhHdu3IqaBeASa30NbP /CLznciytlDaPYOOYZhBxguPyBXp0Gvls9YpqKyIDs0IlhDjWT/cBUkaAgvqGu8R t9rRgr87wim22XeQ0bgfGhk5JCV20PWwsW+TOOmz3AIBxnd14uI= =G+yo -----END PGP SIGNATURE----- --43e26ouhtnyr6c2w--