Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] For all you vi heathen ;-)

On 2020-07-17 08:12 +0900 (Fri), Chris wrote:

> > OpenBSD.
> I see Theo's propaganda machine is still effective.


On 2020-07-17 02:09 +0900 (Fri), Benjamin Kowarsch wrote:

> I would not allow any extranet remote users at all unless I am running
> OpenVMS or OpenBSD.

That is a very foolish approach to security.

The vim issue is no surprise; probably the most important part of the "fix"
was the addition of these two lines to the documentation:

    Note that the user may still find a loophole to execute a
    shell command, it has only been made difficult.

"'Restricted' version of a very general, complex tool" is almost invariably
a security fail; we've known this for decades. (Remember when `rsh` meant
"restricted shell"?)

There's a reasonable argument to be made that things of this nature, should
not be made available. Not only are they an almost certain source of
security holes if used naïvely, but almost any use, even by someone who
(normally) knows what he's doing, is naïve. But they do have their (very)
occasional uses.

Curt J. Sampson      <>      +81 90 7737 2974

To iterate is human, to recurse divine.
    - L Peter Deutsch

Home | Main Index | Thread Index