RFC: Removing file(1)+libmagic(3) from the base system
Kris Kennaway
kris at obsecurity.org
Wed May 23 19:21:05 UTC 2007
On Wed, May 23, 2007 at 09:38:46AM -0700, Colin Percival wrote:
> FreeBSD architects and file(1) maintainer,
>
> I'd like to remove file(1) and libmagic(3) from the FreeBSD base system
> for the following reasons:
> 1. I don't see it as being a necessary component of a UNIX-like operating
> system.
> 2. It's available in the ports tree.
> 3. Due to its nature as a program which parses multiple data formats, it
> poses an unusually high risk of having security problems in the future
> (cf. ethereal/wireshark).
>
> The one redeeming feature of file/libmagic as far as security is concerned
> is that it doesn't act as a daemon, i.e., other code or user intervention
> is required for an attacker to exploit security issues. This is why I'm
> asking here rather than wielding the "Security Officer can veto code which
> he doesn't like" stick. :-)
>
> Can anyone make a strong argument for keeping this code in the base system?
What is the threat you are defending against here: "Admin runs file(1)
on untrusted binary"?
If so, how does it differ from e.g. running cat(1) on an untrusted
binary, which can reprogram your terminal emulation and in some cases
take over your terminal; or from various other unprivileged user
binaries that also crash when operating on corrupted data, possibly in
an exploitable way? Last time I checked lots of our /usr/bin tools
coredumped when you passed them unexpected input.
Also, did coverity find the buffer overflow, and if so, what other
bugs does it see in this tool, and have you fixed them? :)
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20070523/be5eb505/attachment.pgp
More information about the freebsd-arch
mailing list