nc "gaping security hole" menu config entry??
Rich Felker
dalias at aerifal.cx
Wed Apr 19 15:26:22 UTC 2006
On Wed, Apr 19, 2006 at 10:58:59AM -0400, Paul Fox wrote:
> > > > > > yes, it's amusing, but perhaps someone can come up with a better
> > > > > > name for the nc "-e" option than GAPING_SECURITY_HOLE?
> > > > >
> > > > > FWIW, that's what the original netcat source called it. If
> > > > > compiling from original sources, you'd have to
> > > > > -DGAPING_SECURITY_HOLE.
> > > > >
> > > > > (http://www.vulnwatch.org/netcat/readme.html)
> > > >
> > > > ok, this is one of those cases where i *don't* feel at all bound
> > > > by historical precedent.
> > >
> > > if you ever read through the netcat source, the option name makes
> > > sense ... personally i'd just keep it as is ;)
> >
> > sorry. i don't feel the need to actually RTFS to suggest that this is
> > a thoroughly useless option name and should be changed.
>
> i have no problem with retaining the traditional name for this
> option -- anyone who's ever looked at netcat closely or built it
> themselves knows where the name comes from -- but at least the
> busybox config help should be expanded to explain why adding
> support for "executing a program after making or receiving a
> successful connection" is perhaps a bad idea, and why it is,
If it were a bad idea then inetd would not exist. This is the EXACT
SAME FUNCTIONALITY as inetd!
If a user runs an inappropriate program that gives the remote peer
unwanted privileges, all it means is that the user is an idiot, not
that the option is "insecure".
Rich
More information about the busybox
mailing list