Re: ftpd and setproctitle()

[djb () CR YP TO (D. J. Bernstein)]

Often an interface encourages bugs. The right way to use the interface
isn't the easiest way to use the interface. This interface turns every
new programmer into an enemy, creating bugs faster than we can fix them.

The solution is to eliminate the interface. Design a new interface that
doesn't encourage bugs. Then make sure that everyone switches to the new
interface. Advertise the new interface. Make the old interface more and
more difficult to use. Move gets() to /usr/lib/libbugpronestandards.a.

Is this easier than documenting the right way to use the old interface?
Of course not. But it can actually succeed. Documentation never will.

For several years I've been systematically identifying and redesigning
bug-prone interfaces. I don't have any more memory leaks, for example,
because I'm now using memory-allocation interfaces where leaks are more
difficult to write than correct code.

In 1996, when I identified the flaw under discussion in setproctitle()
et al., I worked out several solutions. Simplest was to make sure that
typical strings fail miserably as format strings. Replace setproctitle()
with a setproctitlex() that

   * removes an X from the beginning of the format string, or
   * changes the string to "Use (\"X%s\",...)" if there wasn't an X,

and you'll never have to worry about this bug again. I'm actually using
a different solution, but setproctitlex() has lower transition cost.

Theo de Raadt writes:
> Well, while everyone is talking about setproctitle affecting wuftpd,
> I should probably note that it even affects the OpenBSD ftpd.  In fact,
> looking around, it looks like it might affect everyone's ftpd.

It doesn't affect publicfile's ftpd. http://cr.yp.to/publicfile.html

---Dan