Date: Thu, 2 Dec 1999 10:16:44 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mark Murray <mark@grondar.za> Cc: Kris Kennaway <kris@hub.freebsd.org>, satoshi@freebsd.org, audit@freebsd.org Subject: Re: Auditing ports Message-ID: <Pine.BSF.3.96.991202101402.12358A-100000@fledge.watson.org> In-Reply-To: <199912020559.HAA24545@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Dec 1999, Mark Murray wrote: > [ Satoshi CC'ed for comment ] > > Satoshi - background: The problem of auditing all 2800 ports was > raised, and was reduced to the problem of auditing those which > we patched to be set[gu]id. > > Kris continues: > > > A first task would be to identify _which_ ports install set[ug]id > > executables: the easiest way to do this would probably be to install every > > available package on a box at once (or do them in chunks), compile a list > > of set[gu]id files and track them back to which port they came from. We > > can then prioritize this list in terms of potential severity. > > Satoshi - is there any way that your ports-building engines can help > us here by (say) spitting out some "ls -laR" lists automatically? > > We'll then grep them for s[gu]id bits and do the rest. So, while this is certainly useful (setuid binaries are prime targets), there's a lot of other code in the ports collection that will run with privilege making it also relevant. This includes daemons, inetd-spawned or otherwise, etc, etc. Everyone remembers, of course, the UWash IMAP server :-). Maybe the better approach is to have a new Makefile entry AUDIT_ME=yes for code that the porter feels might benefit from auditing. On the other hand, root can and probably will run any port installed so who cares :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991202101402.12358A-100000>