From owner-freebsd-security  Thu Sep 14 10:23:24 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hub.lovett.com (hub.lovett.com [216.60.121.161])
	by hub.freebsd.org (Postfix) with ESMTP
	id 350E937B424; Thu, 14 Sep 2000 10:23:21 -0700 (PDT)
Received: from ade by hub.lovett.com with local (Exim 3.16 #1)
	id 13ZcjI-000JOm-00; Thu, 14 Sep 2000 12:23:20 -0500
Date: Thu, 14 Sep 2000 12:23:20 -0500
From: Ade Lovett <ade@FreeBSD.org>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: "Louis A. Mamakos" <louie@TransSys.COM>, security@freebsd.org
Subject: Re: potential security exposure in GNOME/ORBit?
Message-ID: <20000914122320.G73990@FreeBSD.org>
References: <20000914120949.E73990@FreeBSD.org> <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Thu, Sep 14, 2000 at 10:14:31AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Sep 14, 2000 at 10:14:31AM -0700, Kris Kennaway wrote:
> No, I'd like the binary itself to default to not listening on the network
> with a way to enable it, and install the sample file telling them how to
> enable it if they need to. That way the default security isn't compromised
> and we don't spam anyone who may have local changes in their orbitrc.

The problem here is that it's not the binary itself that is
configured to listen on the network (indeed, the defaults for
ipv4 and ipv6 are 0 in the ORBit code itself).

The issue is how ORBit is linked to/run by other applications,
which may or may not turn on ipv4/ipv6 sockets, with
etc/orbitrc and ~/.orbitrc being used for overrides.

So, short of looking at every single port that we have that uses
ORBit directly, and making appropriate modifications, I can't see
how this can be done without potentially hacking a lot of ports,
and also auditing new ones as they come in.

-aDe

-- 
Ade Lovett, Austin, TX.			ade@FreeBSD.org
FreeBSD: The Power to Serve		http://www.FreeBSD.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message