tech-userlevel: Re: Proposal for new utility in base: bin/nc

Subject: Re: Proposal for new utility in base: bin/nc
To: Todd Vierling <tv@wasabisystems.com>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-userlevel
Date: 10/17/2001 18:53:34

On Wed, Oct 17, 2001 at 10:41:47AM -0400, Todd Vierling wrote:
> On Fri, 12 Oct 2001, Mike Pelley wrote:
> 
> : Alistair Crooks wrote:
> :
> : > "If netcat is compiled with -DGAPING_SECURITY_HOLE, the -e argument specifies
> : > a program to exec after making or receiving a successful connection.
> 
> : > Now, personally, I don't like introducing "gaping security holes"
> : > into the base system. Call me old-fashioned, but I personally don't
> : > want my name in lights on any number of Bugtraq advisories.
> 
> FWIW, this 'gaping security hole' is nothing more than a one-shot,
> single-service inetd (precisely what you quoted, if you reread it).  I'd
> call that about as gaping as letting untrusted people have shell access in
> the first place.  You could do precisely this with a three-line perl
> program, too....

I didn't call it a "gaping security hole" - the author of the original
netcat called it such.

If we can do all this with a 3-line perl script, then WTF has this
discussion gone on so long?

And from an earlier posting from Mike Pelley:

> Clearly it is not required nor advised to compile netcat with the 
> -DGAPING_SECURITY_HOLE define, so I do not understand why you are 
> concerned.  Apache offers a similar define to run as root but since 
> pkgsrc does not enable it there is no problem.  Additional functionality 
> available for special circumstances that is disabled by default during 
> compile time (and clearly labelled as dangerous) should not be 
> considered a security flaw.

Some people want the functionality, others don't. Some people think it's
a gaping security hole, others don't.

To reply to an earlier posting from Eric Gillespie, Jr, about the
licence:  it doesn't really matter what licence you put on a
derivative work if the original was released under the GPL or
similar. That's why we have to check, especially if someone is
proposing that we include this in basesrc.

And, finally, I'd like to reiterate Hubert's request that someone
package up the more advanced version, or the 3-line Perl script,
or whatever.

Thanks,
Alistair