rtools were deemed almost unused 15 years ago...
Michael Gmelin
freebsd at grem.de
Tue Jun 20 14:00:03 UTC 2017
On Tue, 20 Jun 2017 13:11:37 +0200
Baptiste Daroussin <bapt at FreeBSD.org> wrote:
> On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote:
> > Hey folks,
> >
> > I remember when I was still barely out of my teenagehood, people
> > were mostly using ssh/scp while rtools (rsh, rlogin, ... for the
> > youngsters) were left in place as a courtesy for legacy production
> > systems still relying it on them.
> >
> > Fast forward to 2017 (so yes, 15 years later), stack-clash [1]
> > sorely reminds us that suid binaries are an attack surface. I don't
> > even need to mention that it's a healthy engineering practice to
> > remove unused code, both from a maintenance and security
> > perspective.
> >
> > Therefore, I hereby propose to remove rtools from the base system.
> > I acknowledge this will likely cause troubles for a handful of
> > people who are still relying on it for good or bad reasons. But the
> > flipside is that the attack surface of millions of FreeBSD
> > installed out there will be reduced.
> >
> > The proposed roadmap is:
> > - disable from the build on head and let it soak for one month
> > - remove rtools from the base.
> >
> > What do you guys think? Any preferred color for the bikeshed? :)
> >
> >
> >
> > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
>
> Yeah!
>
> Is telnetd part of your list?
As long as the telnet(1) client stays in I'm all for it.
-m
--
Michael Gmelin
More information about the freebsd-arch
mailing list