Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 May 2007 16:10:38 -0600 (MDT)
From:      "M. Warner Losh" <imp@bsdimp.com>
To:        roberto@keltia.freenix.fr
Cc:        freebsd-arch@freebsd.org
Subject:   Re: RFC: Removing file(1)+libmagic(3) from the base system
Message-ID:  <20070523.161038.-1989860747.imp@bsdimp.com>
In-Reply-To: <20070523213251.GA14733@keltia.freenix.fr>
References:  <46546E16.9070707@freebsd.org> <7158.1179947572@critter.freebsd.dk> <20070523213251.GA14733@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message: <20070523213251.GA14733@keltia.freenix.fr>
            Ollivier Robert <roberto@keltia.freenix.fr> writes:
: According to Poul-Henning Kamp:
: > On this I would tend to disagree strongly.  The ability to identify
: > random files have been a key component of UNIX for many years and
: > I think people would be significantly surprised if we stopped
: > providing it.
: 
: Agreed, take this message as a strong no from myself as well.

I would argue that it would make the system LESS secure, because one
loses the ability to identify files on the system.  People are going
to install it anyway, and it is a jump ball as to whether having it in
the base system would cause vulnerabilities to be updated faster than
having it in ports (both the actual update in the system, as well as
the user causing the update to happen: ports are a touch easier to
update, but lag a bit both in terms of people updating their ports
tree and ports committers updating the port).

And for there to be any exploitable vulnerability, the attacker would
need to feed the victum a bogusly formatted file, and cause the victum
to run file on that file.  I doubt that the latest security hole will
ever result in a system compromise...

I guess I fail to see how this is any different than the .gz bugs that
were found a while ago.  Nobody suggested removing .gz from the tree
because a few bugs were found.  Everybody suggested updating right
away to fix those bugs.  File is no different, and really should
remain in the tree.

In short: this is a silly idea.  Don't do it.

Warner

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070523.161038.-1989860747.imp>