Date: Thu, 24 May 2007 22:31:48 +1000 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Colin Percival <cperciva@FreeBSD.ORG>, "freebsd-arch@freebsd.org" <freebsd-arch@FreeBSD.ORG> Subject: Re: RFC: Removing file(1)+libmagic(3) from the base system Message-ID: <20070524123148.GC1160@turion.vk2pj.dyndns.org> In-Reply-To: <20070523212325.GA3022@VARK.MIT.EDU> References: <46546E16.9070707@freebsd.org> <20070523212325.GA3022@VARK.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
--zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007-May-23 17:23:25 -0400, David Schultz <das@freebsd.org> wrote: >On Wed, May 23, 2007, Colin Percival wrote: >> Can anyone make a strong argument for keeping this code in the base syst= em? > >Removing it from the base system would merely amount to a >marketing ploy, wherein we get to say that FreeBSD has fewer >security holes because file(1) is a "third-party package". Doing >so wouldn't make FreeBSD installations any more secure in >practice. My thoughts as well. The way I see it, file(1) is an interpreter for the language defined in magic(5). For most purposes (particularly when processing untrusted input), the "program" that file(1) will execute is /usr/share/misc/magic Viewed this way, I do not see it as any different to awk or sed. =46rom a security aspect, file(1) can extract C-style strings and offsets from the untrusted input - and these obviously need careful sanity checks in addition to the normal error checking. Rather than treating ports as a ghetto for potentially unsafe utilities, I believe the Project would be better off making those utilities more robust. Has the OpenBSD project got an 'audited' file(1)? If so, can we import it or the fixes? --=20 Peter Jeremy --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGVYW0/opHv/APuIcRAqJPAJ9MkMaaA0FG8PTJ6W9nK3m00KCrwACdFRc4 yEfxXMi0wmBaij6wusS3eqA= =ZRq1 -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070524123148.GC1160>