Date: Tue, 20 Jun 2017 12:36:37 -0600 From: Warner Losh <imp@bsdimp.com> To: Jeremie Le Hen <jlh@freebsd.org> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: rtools were deemed almost unused 15 years ago... Message-ID: <CANCZdfoBnSugfbcMNpebb-8GgBWHrN4qFUcQ8f44Lr9xuqd8xQ@mail.gmail.com> In-Reply-To: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com> References: <CAGSa5y3kVajpSSJUT9Vt0-dTwtaXMwNWvv_ELH14z68osM0UYA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 20, 2017 at 4:25 AM, Jeremie Le Hen <jlh@freebsd.org> wrote: > Hey folks, > > I remember when I was still barely out of my teenagehood, people were > mostly using ssh/scp while rtools (rsh, rlogin, ... for the > youngsters) were left in place as a courtesy for legacy production > systems still relying it on them. > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely > reminds us that suid binaries are an attack surface. I don't even need > to mention that it's a healthy engineering practice to remove unused > code, both from a maintenance and security perspective. > > Therefore, I hereby propose to remove rtools from the base system. I > acknowledge this will likely cause troubles for a handful of people > who are still relying on it for good or bad reasons. But the flipside > is that the attack surface of millions of FreeBSD installed out there > will be reduced. > > The proposed roadmap is: > - disable from the build on head and let it soak for one month > - remove rtools from the base. > > What do you guys think? Any preferred color for the bikeshed? :) > > > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Keep the telnet client. It's still heavily used for more things than connecting to telnetd... The rest can go as they are nitch usage that can be served by ports. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfoBnSugfbcMNpebb-8GgBWHrN4qFUcQ8f44Lr9xuqd8xQ>