Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 19 Apr 2021 14:31:30 -0400
From: Eli Schwartz <eschwartz@...hlinux.org>
To: oss-security@...ts.openwall.com
Subject: Re: xscreensaver package caps gets raw socket

On 4/19/21 2:15 PM, Ariadne Conill wrote:
> Hello,
> 
> On Mon, 19 Apr 2021, David A. Wheeler wrote:
> 
>>>> On Apr 18, 2021, at 8:25 AM, Simon McVittie <smcv@...ian.org> wrote:
>>>> Scraping is undesirable, but sometimes needed. If this is a common
>>>> need, a
>>>> long-term solution might be to create an option on ping to generate
>>>> a standard
>>>> format that’s easier to machine-parse.
>>>
>>> On Apr 19, 2021, at 1:35 PM, Ariadne Conill
>>> <ariadne@...eferenced.org> wrote:
>>> This already exists as fping(1), for example:
>>
>> The problem for application developers is that “ping” exists
>> practically everywhere,
>> while fping does not.
> 
> Absolutely true, but fping is packaged in most Linux distributions, as
> well as all of the BSDs, due to its use by various network monitoring
> programs such as smokeping and nagios, so it seems like a reasonable
> dependency for cases like these.
> 
> IMO, it's better that programs declare something like fping as a
> dependency, so that we don't have to deal with yet another program years
> from now having elevated privileges and being abused to run tcpdump... :)
> 
> Seriously, if anyone on this list ever finds themselves writing a
> program where they need to fire off some pings, instead of making their
> program SUID or granting it cap_net_raw, just use fping instead.  At the
> very least, you'll be happier because you don't have to write your own
> ping code, and the distribution maintainers of the world will be happier
> because you *didn't* write your own ping code.


Also fping is the standard fping, but there is no standard ping so one
would need to coordinate adding the option to a number of different
descendant forks of 4.3BSD ping, before it could be reliably used.

If the answer to your question is ever "for X number of independent
implementations of Y, add the same new feature to all of them", then the
problem will not be coming up with wonderful ideas to solve problems --
the problem will be getting people to implement those wonderful ideas.

-- 
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User



Download attachment "OpenPGP_signature" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.