Date: Wed, 1 Dec 1999 14:56:08 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: audit@freebsd.org Subject: Auditing ports Message-ID: <Pine.BSF.4.21.9912011449180.87299-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
As Brock Tellier pointed out in Bugtraq, something else we need to focus on is auditing ports which install setuid/setgid executables. Even though these aren't part of "FreeBSD" as such, and we can't possibly audit all 2800 ports, it's not unreasonable to expect people will install a port on their FreeBSD system and we should make an effort that the obvious exploit candidates (setuid/setgid binaries) are secure. Prime candidates should be ports which we _patch_ to install set[ug]id, which may not have been written with security in mind (e.g. the angband hole Brock published). But there are probably a lot of other ports which install setuid when they don't need to be, or which are stupidly written and shouldn't be given a setuid bit at all. A first task would be to identify _which_ ports install set[ug]id executables: the easiest way to do this would probably be to install every available package on a box at once (or do them in chunks), compile a list of set[gu]id files and track them back to which port they came from. We can then prioritize this list in terms of potential severity. Anyone able to do this step? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912011449180.87299-100000>