From owner-freebsd-arch@FreeBSD.ORG Wed May 23 19:21:04 2007 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E3E3716A421; Wed, 23 May 2007 19:21:04 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id D11D113C448; Wed, 23 May 2007 19:21:04 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id B49771A4D80; Wed, 23 May 2007 12:22:05 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F340D513FC; Wed, 23 May 2007 15:21:03 -0400 (EDT) Date: Wed, 23 May 2007 15:21:03 -0400 From: Kris Kennaway To: Colin Percival Message-ID: <20070523192103.GA61937@xor.obsecurity.org> References: <46546E16.9070707@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline In-Reply-To: <46546E16.9070707@freebsd.org> User-Agent: Mutt/1.4.2.2i Cc: "freebsd-arch@freebsd.org" Subject: Re: RFC: Removing file(1)+libmagic(3) from the base system X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2007 19:21:05 -0000 --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 23, 2007 at 09:38:46AM -0700, Colin Percival wrote: > FreeBSD architects and file(1) maintainer, >=20 > I'd like to remove file(1) and libmagic(3) from the FreeBSD base system > for the following reasons: > 1. I don't see it as being a necessary component of a UNIX-like operating > system. > 2. It's available in the ports tree. > 3. Due to its nature as a program which parses multiple data formats, it > poses an unusually high risk of having security problems in the future > (cf. ethereal/wireshark). >=20 > The one redeeming feature of file/libmagic as far as security is concerned > is that it doesn't act as a daemon, i.e., other code or user intervention > is required for an attacker to exploit security issues. This is why I'm > asking here rather than wielding the "Security Officer can veto code which > he doesn't like" stick. :-) >=20 > Can anyone make a strong argument for keeping this code in the base syste= m? What is the threat you are defending against here: "Admin runs file(1) on untrusted binary"? If so, how does it differ from e.g. running cat(1) on an untrusted binary, which can reprogram your terminal emulation and in some cases take over your terminal; or from various other unprivileged user binaries that also crash when operating on corrupted data, possibly in an exploitable way? Last time I checked lots of our /usr/bin tools coredumped when you passed them unexpected input. Also, did coverity find the buffer overflow, and if so, what other bugs does it see in this tool, and have you fixed them? :) Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGVJQfWry0BWjoQKURAiLbAKCbrwOYZnLrG5P32sXJRpbZ5MrqcQCffbUq Z02hlXrmJMM1CC9ecw29igA= =3vkD -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6--