Subject: Re: vixie-crontab vunerable?
To: None <current-users@NetBSD.ORG>
From: Michael Richardson <>
List: current-users
Date: 12/16/1996 20:16:02

>>>>> "Perry" == Perry E Metzger <> writes:
    Perry> I think, however, that any SUID or daemon program that is
    Perry> not performance critical should probably have all the
    Perry> string manipulators converted over. I can't think of many
    Perry> that are performance critical -- so this means most of
    Perry> them.

  Let's not forget this; we are talking about putting together a
  I'd say build it and remove all the "unsafe" functions so we get
link errors.
  What we need is for someone to
	1. make
	2. build the libcsafe
  and then we just need to generate a list of programs that
are affected (remember, this includes root-run daemons that accept
input, e.g. telnetd, rlogind, rshd, inetd, etc). A group of people can
then go through these programs and make sure that they link.

  My opinion is that disk space is cheap, and I'm willing to have all
setuid programs and common root-run daemons statically linked. X is
the one exception.
  I would be happy to do #1 and #2, and collect the list of things
that people think should be removed from libcsafe along with the list
of programs affected.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: PGP key available.

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface