[arch-dev-public] Inetutils cleanup
Jan de Groot
jan at jgc.homeip.net
Thu Apr 19 08:10:14 EDT 2012
On Thu, 19 Apr 2012 14:04:25 +0200, Florian Pritz wrote:
> On 19.04.2012 10:56, Tom Gundersen wrote:
>> On Apr 19, 2012 10:37 AM, "Thomas Bächler" <thomas at archlinux.org>
>> wrote:
>>>
>>> Am 18.04.2012 21:20, schrieb Eric Bélanger:
>>> > Hi,
>>> >
>>> > Currently, the inetutils packages provide the old unsecure r*
>>> family
>>> > of tools. There is currently a bug report [1] asking for the
>>> removal
>>> > of rexec as it it particularly unsecure. As these things are old
>>> and I
>>> > suppose everyone has moved to more secure apps like ssh/sftp, I'm
>>> > thinking about removing all these r* tools.
>>>
>>> Just because they're insecure doesn't mean we shouldn't provide
>>> them.
>>> There are probably enough people that use this, and it is their
>>> choice.
>>
>> There's always the AUR...
>
> So we should put shadow and sshd into the AUR because the user could
> enable sshd with simple password authentication (our default), create
> an
> account called "test", set it's password to "test" and forget about
> it?
>
> Most systems are behind a NAT router or hopefully at least a simple
> stateful firewall so even if someone enables rexec you can't connect
> to
> it from the outside. If you don't trust your LAN you are likely
> already
> screwed anyway.
The problem with rexec is that it contains a remote root exploit
because you can just login with any password. This has been known for a
long while and nobody upstream cares about it. If nobody cares about a
serious security bug like this, then this software should not be in
core.
As for telnet/telnetd: if you don't care about encryption you should be
able to set that up. AFAIK telnetd doesn't allow you to login with any
password, so there's no reason to remove telnetd from inetutils.
More information about the arch-dev-public
mailing list