From owner-freebsd-security  Thu Jun  3 11:32:47 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7])
	by hub.freebsd.org (Postfix) with ESMTP id ABDD814D59
	for <freebsd-security@FreeBSD.ORG>; Thu,  3 Jun 1999 11:32:44 -0700 (PDT)
	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA193404;
	Thu, 3 Jun 1999 14:32:28 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: drosih@mail.rpi.edu
Message-Id: <v04011702b37c79bbd872@[128.113.24.47]>
In-Reply-To: <375693C1.68C59211@tdnet.com.br>
References: <Pine.BSF.3.96.990603133742.8776C-100000@jade.chc-chimes.com>
Date: Thu, 3 Jun 1999 14:33:05 -0400
To: Unknow User <kernel@tdnet.com.br>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: SSH2 (in FreeBSD-Questions)
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 2:40 PM +0000 6/3/99, Unknow User wrote:
>Bill Fumerola wrote:
>
>> Manually apply the patch or use the source and figure it out for yourself.
>>
>> Stop doing things the hard way just for a false sense of security.
>					    ^^^^^^^^^^^^^^^^^^^^^^^
>
>The problem is that we never now what SUID, port will install!
>It happens that other has the same "false sense of security" i have:

Yes, so instead of using the port collection, you went ahead and
installed ssh2 without any freebsd-specific updates, and you were
quite willing to run that program as super-user even though you
clearly don't have a clue what it does, what it *needs* to do
under Freebsd, or even what you are doing.

This is known as a false sense of security.

>The problem is that we never now what SUID, port will install!

To answer this in another way, if you did know what you were doing,
you would realize that the system checks for setuid programs every
day, and sends email to root if some change occurs among setuid
programs.  You could monitor that email, and then you WOULD know
what setuid programs were installed by a port.

---
Garance Alistair Drosehn           =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message