From owner-freebsd-security Wed Dec 1 14:49: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id A85BB151B9; Wed, 1 Dec 1999 14:49:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6B4DE1CD810; Wed, 1 Dec 1999 14:49:02 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 1 Dec 1999 14:49:02 -0800 (PST) From: Kris Kennaway To: Brock Tellier Cc: "Jordan K. Hubbard" , Bill Swingle , security@FreeBSD.ORG Subject: Re: [Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] ] In-Reply-To: <19991201200257.17312.qmail@nwcst313.netaddress.usa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Dec 1999, Brock Tellier wrote: > Personally, I don't think it is at all unreasonable to do a full 2700 port > install via sysinstall and audit the 200 or so suid-programs. Sure, it's > important that the others be free from symlink problems and in a few cases, > buffer overflows, but focusing, as I did, on the suids wouldn't be > ridiculously difficult. More than 50% of these programs could safely lose > their suid-bit. Considering the number of people who will actually need > "xmindpath" suid vs. the number of people who just do a full install because > they don't want to miss anything, I'd say you're pretty safe. This is a legitimate point, and I hope this is something the newly-formed FreeBSD auditing project will be able to handle. Given your proven expertise in finding these problems (e.g. the demolition job you did on SCO :), perhaps you'd like to be a part of that effort - just subscribe to audit@freebsd.org and announce yourself. I for one would welcome your assistance. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message