From owner-freebsd-security Thu Sep 14 17:13:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4891F37B42C; Thu, 14 Sep 2000 17:13:31 -0700 (PDT) Received: by gw.nectar.com (Postfix, from userid 1001) id 389111925D; Thu, 14 Sep 2000 19:13:30 -0500 (CDT) Date: Thu, 14 Sep 2000 19:13:30 -0500 From: "Jacques A. Vidrine" To: Ade Lovett Cc: security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914191330.A817@spawn.nectar.com> References: <20000914120949.E73990@FreeBSD.org> <20000914122320.G73990@FreeBSD.org> <20000914165613.J74753@lovett.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000914165613.J74753@lovett.com>; from ade@FreeBSD.org on Thu, Sep 14, 2000 at 04:56:13PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 04:56:13PM -0500, Ade Lovett wrote: > Unless I hear to the contrary (ie: someone comes up with a better > solution + patches) by 0900 CDT tomorrow 9/15, I'm going to commit my > original patch, modulo that it will install etc/orbitrc.sample and > use a pkg/MESSAGE suggesting that they move it in place for security > reasons. In that case, why bother with an etc/orbitrc.sample? Just have the appropriate message in pkg/MESSAGE. However, I think that is mostly useless. I'd rather see this: if ![ -f ${PREFIX}/etc/orbitrc ]; then echo "ORBIIOPIPv4=0" > ${PREFIX}/etc/orbitrc echo "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc fi I want it secured by default. As you say, if a better solution shows up later, so be it. I doubt anyone outside of the GNOME or ORBit development communities has an orbitrc anyway. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message