From owner-freebsd-arch@FreeBSD.ORG  Wed Mar  1 21:10:56 2006
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
X-Original-To: arch@freebsd.org
Delivered-To: freebsd-arch@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5FD9416A420;
	Wed,  1 Mar 2006 21:10:56 +0000 (GMT)
	(envelope-from wxs@syn.csh.rit.edu)
Received: from syn.csh.rit.edu (syn.csh.rit.edu [129.21.60.158])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EFBEC43D45;
	Wed,  1 Mar 2006 21:10:55 +0000 (GMT)
	(envelope-from wxs@syn.csh.rit.edu)
Received: from syn.csh.rit.edu (localhost [127.0.0.1])
	by syn.csh.rit.edu (8.13.4/8.13.4) with ESMTP id k21LJW8g046215;
	Wed, 1 Mar 2006 16:19:32 -0500 (EST)
	(envelope-from wxs@syn.csh.rit.edu)
Received: (from wxs@localhost)
	by syn.csh.rit.edu (8.13.4/8.13.4/Submit) id k21LJWCw046213;
	Wed, 1 Mar 2006 16:19:32 -0500 (EST) (envelope-from wxs)
Date: Wed, 1 Mar 2006 16:19:32 -0500
From: Wesley Shields <wxs@csh.rit.edu>
To: Lowell Gilbert <freebsd-current-local@be-well.ilk.org>
Message-ID: <20060301211932.GA42815@csh.rit.edu>
References: <20060301170306.GZ55746@elvis.mu.org>
	<4405F673.8060907@samsco.org> <44mzg9ucpm.fsf@be-well.ilk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44mzg9ucpm.fsf@be-well.ilk.org>
User-Agent: Mutt/1.5.11
Cc: arch@freebsd.org, current@freebsd.org
Subject: Re: HEADS UP: Importing csup into base
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2006 21:10:56 -0000

On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> Scott Long <scottl@samsco.org> writes:
> 
> > Maxime Henrion wrote:
> > > 	Hey all,
> > > I have released a new snapshot of csup a few minutes ago,
> > 
> > [...]
> > 
> > >   - Executes (shell commands sent by the server, even more rarely
> > > used),
> > 
> > Are you joking?
> 
> Are you asking whether he's joking about (1) the idea of ever
> implementing it, (2) the fact that he hasn't done it yet, or 
> (3) the idea that it's rarely used?  All of those sound 
> reasonable to me...

I'm questioning (1) myself.  This just seems like a bad idea from a
security perspective.  Of course, some kind of sanitization could
mitigate the issue.

-- WXS