Date: Thu, 14 Sep 2000 12:23:20 -0500 From: Ade Lovett <ade@FreeBSD.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: "Louis A. Mamakos" <louie@TransSys.COM>, security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914122320.G73990@FreeBSD.org> In-Reply-To: <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Thu, Sep 14, 2000 at 10:14:31AM -0700 References: <20000914120949.E73990@FreeBSD.org> <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 14, 2000 at 10:14:31AM -0700, Kris Kennaway wrote: > No, I'd like the binary itself to default to not listening on the network > with a way to enable it, and install the sample file telling them how to > enable it if they need to. That way the default security isn't compromised > and we don't spam anyone who may have local changes in their orbitrc. The problem here is that it's not the binary itself that is configured to listen on the network (indeed, the defaults for ipv4 and ipv6 are 0 in the ORBit code itself). The issue is how ORBit is linked to/run by other applications, which may or may not turn on ipv4/ipv6 sockets, with etc/orbitrc and ~/.orbitrc being used for overrides. So, short of looking at every single port that we have that uses ORBit directly, and making appropriate modifications, I can't see how this can be done without potentially hacking a lot of ports, and also auditing new ones as they come in. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000914122320.G73990>