From owner-cvs-all Fri Aug 11 12:46:18 2000 Delivered-To: cvs-all@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 9CEE037B515; Fri, 11 Aug 2000 12:46:11 -0700 (PDT) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.10.1/8.10.1) id e7BJjlj58635; Fri, 11 Aug 2000 21:45:47 +0200 (SAT) From: John Hay Message-Id: <200008111945.e7BJjlj58635@zibbi.mikom.csir.co.za> Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile In-Reply-To: <200008111913.NAA36613@harmony.village.org> from Warner Losh at "Aug 11, 2000 01:13:59 pm" To: imp@village.org (Warner Losh) Date: Fri, 11 Aug 2000 21:45:47 +0200 (SAT) Cc: jhay@icomtek.co.za (John Hay), mark@grondar.za (Mark Murray), chris@netmonger.net (Christopher Masto), cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > In message <200008111909.e7BJ9cU57765@zibbi.mikom.csir.co.za> John Hay writes: > : If we really want to be this paranoid, we should think about removing > : all other suid programs from a standard build too. > > Which ones? Well I would say anything not essential to allow the administrator to login the first time. Then he can add/enable the programs he want. :-) > > The current list that I have shows many, relatievly small ones that > have been well audited and are easy to audit. Perl isn't easy to > audit, is huge and has the ability to load arbitrary code (iirc). I understand this, but the point that I was trying to make is that FreeBSD installations are supposed to get easier and not more difficult. To require that you have to get the FreeBSD source just to get a part of it, is wrong. Then we should rather make it a port/package so that someone doing a binary installation can just pkg_add it if they want it. > I do like the idea of installing it mode 0, but worry about hozing > existing people. But it would be a failsafe way to hoze them rather > than the fail unsafe way we might hose them now. Well with the current way, someone just doing source upgrades is going to sit with an ever getting older suidperl. :-) John -- John Hay -- John.Hay@icomtek.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message