On Thu, Apr 19, 2012 at 8:10 AM, Jan de Groot <[email protected]> wrote: > On Thu, 19 Apr 2012 14:04:25 +0200, Florian Pritz wrote: >> >> On 19.04.2012 10:56, Tom Gundersen wrote: >>> >>> On Apr 19, 2012 10:37 AM, "Thomas Bächler" <[email protected]> wrote: >>>> >>>> >>>> Am 18.04.2012 21:20, schrieb Eric Bélanger: >>>> > Hi, >>>> > >>>> > Currently, the inetutils packages provide the old unsecure r* family >>>> > of tools. There is currently a bug report [1] asking for the removal >>>> > of rexec as it it particularly unsecure. As these things are old and I >>>> > suppose everyone has moved to more secure apps like ssh/sftp, I'm >>>> > thinking about removing all these r* tools. >>>> >>>> Just because they're insecure doesn't mean we shouldn't provide them. >>>> There are probably enough people that use this, and it is their choice. >>> >>> >>> There's always the AUR... >> >> >> So we should put shadow and sshd into the AUR because the user could >> enable sshd with simple password authentication (our default), create an >> account called "test", set it's password to "test" and forget about it? >> >> Most systems are behind a NAT router or hopefully at least a simple >> stateful firewall so even if someone enables rexec you can't connect to >> it from the outside. If you don't trust your LAN you are likely already >> screwed anyway. > > > The problem with rexec is that it contains a remote root exploit because you > can just login with any password. This has been known for a long while and > nobody upstream cares about it. If nobody cares about a serious security bug > like this, then this software should not be in core. >
Exactly. That's the main motive behing the bug report. If removing all the r* tools is too drastic, I could instead only remove rexec/rexecd and keep the others in the package. Would that be a better solution? > As for telnet/telnetd: if you don't care about encryption you should be able > to set that up. AFAIK telnetd doesn't allow you to login with any password, > so there's no reason to remove telnetd from inetutils. Yes, I didn't want to got too far in the cleanup. That's why I kept things like telnet, ftp and talk even though most people probably use ssh/sftp and IRC/Jabber. Eric
