netcat -e: the GAPING_SECURITY_HOLE

While I've no definitive answer, I believe the gaping security hole is only present if your nc has -e enabled and is setuid root. (As nc is often used to bind to ports, it might be packaged setuid root to enable all users to bind on the privileged ports below 1024.)

In that situation, nc -e would exec the given process as root - which means it would let any user run any process as root. I'm sure you'll recognise that this is a gaping security hole. By contrast, if you run your own process and use pipes to connect it to nc, that process does not run as root unless you have some other way to elevate it (like sudo access).

As grawity pointed out, netcat's original release announcement complained that

the commercial vendors would have likely packaged [netcat] setuid root and with -DGAPING_SECURITY_HOLE turned on but not documented.

This lends weight to my theory, I think. :)


from the original release announcement:

Obligatory vendor-bash: If "nc" had become a standard utility years ago, the commercial vendors would have likely packaged it setuid root and with -DGAPING_SECURITY_HOLE turned on but not documented. It is hoped that netcat will aid people in finding and fixing the no-brainer holes of this sort that keep appearing, by allowing easier experimentation with the "bare metal" of the network layer.

Not that it makes anything clearer...