From owner-freebsd-security Thu Sep 14 10: 9:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id BA9BC37B423; Thu, 14 Sep 2000 10:09:54 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZcWD-000JMs-00; Thu, 14 Sep 2000 12:09:49 -0500 Date: Thu, 14 Sep 2000 12:09:49 -0500 From: Ade Lovett To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914120949.E73990@FreeBSD.org> References: <20000914101417.A73358@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Thu, Sep 14, 2000 at 10:04:51AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 10:04:51AM -0700, Kris Kennaway wrote: > Hmm. Doing it this way will spam any local configuration changes someone > may make after installation when they upgrade to a new version..are there > any other settings it is likely people may want to set in the orbitrc > file? Well, I have practically every GNOME port installed on my crashbox, and at no time has anything ever been put in etc/orbitrc > What may be better is to make those settings the default policy, and then > install an orbitrc.sample showing how to override them and only remove > that file, not orbitrc. So you'd be happy with installing an orbitrc.sample, followed by a pkg/MESSAGE printout telling them to merge it with any existing orbitrc they might have, otherwise their box could be insecure? -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message