From owner-freebsd-audit Wed Dec 1 14:56: 9 1999 Delivered-To: freebsd-audit@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6146615057; Wed, 1 Dec 1999 14:56:08 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 517C11CD80E for ; Wed, 1 Dec 1999 14:56:08 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 1 Dec 1999 14:56:08 -0800 (PST) From: Kris Kennaway To: audit@freebsd.org Subject: Auditing ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG As Brock Tellier pointed out in Bugtraq, something else we need to focus on is auditing ports which install setuid/setgid executables. Even though these aren't part of "FreeBSD" as such, and we can't possibly audit all 2800 ports, it's not unreasonable to expect people will install a port on their FreeBSD system and we should make an effort that the obvious exploit candidates (setuid/setgid binaries) are secure. Prime candidates should be ports which we _patch_ to install set[ug]id, which may not have been written with security in mind (e.g. the angband hole Brock published). But there are probably a lot of other ports which install setuid when they don't need to be, or which are stupidly written and shouldn't be given a setuid bit at all. A first task would be to identify _which_ ports install set[ug]id executables: the easiest way to do this would probably be to install every available package on a box at once (or do them in chunks), compile a list of set[gu]id files and track them back to which port they came from. We can then prioritize this list in terms of potential severity. Anyone able to do this step? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message