rtools were deemed almost unused 15 years ago...
Ian Lepore
ian at freebsd.org
Tue Jun 20 14:05:00 UTC 2017
On Tue, 2017-06-20 at 15:59 +0200, Michael Gmelin wrote:
>
> On Tue, 20 Jun 2017 13:11:37 +0200
> Baptiste Daroussin <bapt at FreeBSD.org> wrote:
>
> >
> > On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote:
> > >
> > > Hey folks,
> > >
> > > I remember when I was still barely out of my teenagehood, people
> > > were mostly using ssh/scp while rtools (rsh, rlogin, ... for the
> > > youngsters) were left in place as a courtesy for legacy
> > > production
> > > systems still relying it on them.
> > >
> > > Fast forward to 2017 (so yes, 15 years later), stack-clash [1]
> > > sorely reminds us that suid binaries are an attack surface. I
> > > don't
> > > even need to mention that it's a healthy engineering practice to
> > > remove unused code, both from a maintenance and security
> > > perspective.
> > >
> > > Therefore, I hereby propose to remove rtools from the base
> > > system.
> > > I acknowledge this will likely cause troubles for a handful of
> > > people who are still relying on it for good or bad reasons. But
> > > the
> > > flipside is that the attack surface of millions of FreeBSD
> > > installed out there will be reduced.
> > >
> > > The proposed roadmap is:
> > > - disable from the build on head and let it soak for one month
> > > - remove rtools from the base.
> > >
> > > What do you guys think? Any preferred color for the bikeshed? :)
> > >
> > >
> > >
> > > [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
> > >
> > Yeah!
> >
> > Is telnetd part of your list?
> As long as the telnet(1) client stays in I'm all for it.
>
> -m
>
As long as ports are available for all these things, the impact of
removing them should be negligible for the few still using them.
-- Ian
More information about the freebsd-arch
mailing list