Subject: Re: Proposal for new utility in base: bin/nc
To: Alistair Crooks <>
From: Mike Pelley <>
List: tech-userlevel
Date: 10/12/2001 10:03:23
Alistair Crooks wrote:

> "If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifies
> a program to exec after making or receiving a successful connection.  In the
> listening mode, this works similarly to "inetd" but only for a single instance.
> Use with GREAT CARE.  This piece of the code is normally not enabled; if you
> know what you're doing, have fun.  This hack also works in UDP mode.  Note that
> you can only supply -e with the name of the program, but no arguments.  If you
> want to launch something with an argument list, write a two-line wrapper script
> or just use inetd like always."
> Now, personally, I don't like introducing "gaping security holes"
> into the base system. Call me old-fashioned, but I personally don't
> want my name in lights on any number of Bugtraq advisories.

Clearly it is not required nor advised to compile netcat with the 
-DGAPING_SECURITY_HOLE define, so I do not understand why you are 
concerned.  Apache offers a similar define to run as root but since 
pkgsrc does not enable it there is no problem.  Additional functionality 
available for special circumstances that is disabled by default during 
compile time (and clearly labelled as dangerous) should not be 
considered a security flaw.

Also, the source in Eric's tar does not seem to offer this define anyway.

On a more general note, netcat is very handy for various network tasks 
but I don't think it is critical enough to include with the base system.