On 2015/11/13 09:59, Theo de Raadt wrote:
> > > I really want to delete telnet entirely,
> >
> > I often use it for testing unencrypted SMTP and HTTP across the
> > Internet. Which tool would you recommend for that purpose?
>
> nc(1).
I use telnet fairly often for connecting to things like crappy switches,
crappy routers, APs of varying crappiness, etc. nc -t isn't close to being
good enough for this, also with nc it's difficult to send things like ^C
(even worse, if you use it much you forget about this and end up killing
your connection). I wouldn't mind having it removed from base, but would
need to go in ports unless nc gets a lot of polishing.
> > You might wish to cross-check these three points though:
> >
> > * Does "inet" actually allow the following setsockopt()
> > arguments: SO_DEBUG, SO_RTABLE, IP_TOS, IPV6_TCLASS?
> > I know nothing about socket options.
>
> I think all of those should be deleted, except perhaps SO_RTABLE,
> which should be done line in nc(1).
TOS/TCLASS are somewhat important, nc and ssh in client mode also
use them. IP_TOS is permitted by "inet". IPV6_TCLASS was missed but
should be added, it's the IPv6 equivalent to IP_TOS.
Index: kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.106
diff -u -p -r1.106 kern_pledge.c
--- kern_pledge.c 10 Nov 2015 04:30:59 -0000 1.106
+++ kern_pledge.c 13 Nov 2015 17:11:20 -0000
@@ -1275,6 +1275,7 @@ pledge_sockopt(struct proc *p, int set,
break;
case IPPROTO_IPV6:
switch (optname) {
+ case IPV6_TCLASS:
case IPV6_UNICAST_HOPS:
case IPV6_RECVHOPLIMIT:
case IPV6_PORTRANGE:
