nc "gaping security hole" menu config entry??
Paul Fox
pgf at brightstareng.com
Wed Apr 19 14:58:59 UTC 2006
> > > > > yes, it's amusing, but perhaps someone can come up with a better
> > > > > name for the nc "-e" option than GAPING_SECURITY_HOLE?
> > > >
> > > > FWIW, that's what the original netcat source called it. If
> > > > compiling from original sources, you'd have to
> > > > -DGAPING_SECURITY_HOLE.
> > > >
> > > > (http://www.vulnwatch.org/netcat/readme.html)
> > >
> > > ok, this is one of those cases where i *don't* feel at all bound
> > > by historical precedent.
> >
> > if you ever read through the netcat source, the option name makes
> > sense ... personally i'd just keep it as is ;)
>
> sorry. i don't feel the need to actually RTFS to suggest that this is
> a thoroughly useless option name and should be changed.
i have no problem with retaining the traditional name for this
option -- anyone who's ever looked at netcat closely or built it
themselves knows where the name comes from -- but at least the
busybox config help should be expanded to explain why adding
support for "executing a program after making or receiving a
successful connection" is perhaps a bad idea, and why it is,
indeed, a gaping security hole, especially since it sounds useful
on face value. (and if we truly think it's a bad idea, i'd also
suggest that having "make defconfig" turn this feature on is also
a bad idea.)
paul
=---------------------
paul fox, pgf at brightstareng.com
More information about the busybox
mailing list