From owner-freebsd-questions Sun Jul 2 0:32:28 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kestrel.prod.itd.earthlink.net (kestrel.prod.itd.earthlink.net [207.217.121.155]) by hub.freebsd.org (Postfix) with ESMTP id 7514137BD28 for ; Sun, 2 Jul 2000 00:32:23 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0648.cvx20-bradley.dialup.earthlink.net [209.179.252.138]) by kestrel.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id AAA06164; Sun, 2 Jul 2000 00:30:57 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id AAA02581; Sun, 2 Jul 2000 00:29:25 -0700 (PDT) Date: Sun, 2 Jul 2000 00:28:44 -0700 From: "Crist J. Clark" To: Bill Barnes Cc: cjclark@alum.mit.edu, freebsd questions Subject: Re: Ports via FTP Message-ID: <20000702002843.J1820@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <398F046C@operamail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <398F046C@operamail.com>; from bbarnes@operamail.com on Sun, Jul 02, 2000 at 01:55:41AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jul 02, 2000 at 01:55:41AM -0400, Bill Barnes wrote: > I created the wrong impression. It isn't FreeBSD that I'm worried about, it's > the crackers. > This afternoon and evening the download was stalled a lot and there is some > offline peparation time and I've read there is significant risk in connecting > to the internet as root. > It doesn't matter too much right now because I just installed and haven't > anything to lose. I was logged in as root for other maintenance and, frankly, > forgot about that until I started the ftp. > If i login as non-root, establish the internet connection, then su for the ftp > process, does that eliminate the risk of 'root online'; or maybe I am worried > about a non-problem. Hmmm... I'm still not quite understanding you. How do you log in as non-root to establish the Internet conncetion, _then_ ftp after su'ing to root. I mean, isn't the ftp connection the "Internet connection" we are talking about? So I'm not sure what "root on-line" risk you are talking about either. To me, that might typically be logging into a machine as root remotely. That is, being root on the remote machine, not locally, with the accompanying risk being to the remote machine. The problem is that authenication is going out over the network as well as everything you type (so it better be encrypted). There can be risks to both local and remote machines if you are running X as root over a net (not doing that, right?). In this case, you are using things like anonymous ftp or http to connect to other machines. This is only a risk if you do not feel safe with FreeBSD's ftp, fetch, or whatever application you may use to connect to the untrusted machine. If misbehavior on the remote server can get your ftp client, which is running as root, to do bad things (like execute arbitrary code), then you are in trouble. There is some risk there. Never connect to an untrusted machine using lynx from root, lynx has known buffer overflows (I forget if exploits have been demonstrated). I, personally, would never use Netscape as root for similar reasons and others. However, I feel that ftp and fetch are pretty safe and regularly use root to do a port install from end-to-end. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message