Re: RFC: Removing file(1)+libmagic(3) from the base system

---

• From: Andrey Chernov <ache@xxxxxxxxxxx>
• Date: Thu, 24 May 2007 18:59:20 +0400

---

On Wed, May 23, 2007 at 01:49:13PM -0400, Daniel Eischen wrote:

On Wed, 23 May 2007, Colin Percival wrote:

FreeBSD architects and file(1) maintainer,

I'd like to remove file(1) and libmagic(3) from the FreeBSD base system
for the following reasons:
1. I don't see it as being a necessary component of a UNIX-like operating
system.
2. It's available in the ports tree.
3. Due to its nature as a program which parses multiple data formats, it
poses an unusually high risk of having security problems in the future
(cf. ethereal/wireshark).

The one redeeming feature of file/libmagic as far as security is concerned
is that it doesn't act as a daemon, i.e., other code or user intervention
is required for an attacker to exploit security issues. This is why I'm
asking here rather than wielding the "Security Officer can veto code which
he doesn't like" stick. :-)

Can anyone make a strong argument for keeping this code in the base system?

Yes, because other OS's have it (file) in their base, and because
it is a POSIX-defined utility. Please consider this a strong no.

I agree with Daniel. Better way is to add a big warning to file(1) manpage
about running it against untrusted sources.

--
http://ache.pp.ru/
_______________________________________________
freebsd-arch@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@xxxxxxxxxxx"

---

• References:
  • RFC: Removing file(1)+libmagic(3) from the base system
    • From: Colin Percival
  • Re: RFC: Removing file(1)+libmagic(3) from the base system
    • From: Daniel Eischen

• Prev by Date: Re: sched_lock && thread_lock()
• Next by Date: Re: RFC: Removing file(1)+libmagic(3) from the base system
• Previous by thread: Re: RFC: Removing file(1)+libmagic(3) from the base system
• Next by thread: Re: RFC: Removing file(1)+libmagic(3) from the base system
• Index(es):
  • Date
  • Thread

---

Relevant Pages RFC: Removing file(1)+libmagic(3) from the base system ... I'd like to remove fileand libmagicfrom the FreeBSD base system ... The one redeeming feature of file/libmagic as far as security is concerned ... Can anyone make a strong argument for keeping this code in the base system? ... FreeBSD Security Officer ... (freebsd-arch) Re: Dumb question about ports/packages ... Or is just wise to leave the base alone and upgrade when a new ... follow the security branch for your ... > of base system vunerabilities. ... FreeBSD is designed to work ... (freebsd-questions) Re: RFC: Removing file(1)+libmagic(3) from the base system ... The one redeeming feature of file/libmagic as far as security is concerned ... is that it doesn't act as a daemon, i.e., other code or user intervention ... Can anyone make a strong argument for keeping this code in the base system? ... which can reprogram your terminal emulation and in some cases ... (freebsd-arch) Re: DPS Initial Ideas ... It can happen that base system utilities become unusable for various ... reasons: Maybe an installworld went wrong, ... If sqlite3 is being used solely for ports management ... This is a function of sqlite3rather than the SQLite database itself. ... (freebsd-hackers) Re: How long without patching the base system? ... >> But for the base system, I'm not aware of such a tool. ... I can rely on FreeBSD security advisories ... > It's possible to update heaps of the system without rebooting, ... for my ports I upgrade as soon as portupgrade tells me (if the ... (comp.unix.bsd.freebsd.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > arch  > 2007-05