From owner-freebsd-audit Thu Dec 2 7:18: 6 1999 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 315EE14CD2; Thu, 2 Dec 1999 07:18:02 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA12458; Thu, 2 Dec 1999 10:16:44 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Thu, 2 Dec 1999 10:16:44 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark Murray Cc: Kris Kennaway , satoshi@freebsd.org, audit@freebsd.org Subject: Re: Auditing ports In-Reply-To: <199912020559.HAA24545@gratis.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 2 Dec 1999, Mark Murray wrote: > [ Satoshi CC'ed for comment ] > > Satoshi - background: The problem of auditing all 2800 ports was > raised, and was reduced to the problem of auditing those which > we patched to be set[gu]id. > > Kris continues: > > > A first task would be to identify _which_ ports install set[ug]id > > executables: the easiest way to do this would probably be to install every > > available package on a box at once (or do them in chunks), compile a list > > of set[gu]id files and track them back to which port they came from. We > > can then prioritize this list in terms of potential severity. > > Satoshi - is there any way that your ports-building engines can help > us here by (say) spitting out some "ls -laR" lists automatically? > > We'll then grep them for s[gu]id bits and do the rest. So, while this is certainly useful (setuid binaries are prime targets), there's a lot of other code in the ports collection that will run with privilege making it also relevant. This includes daemons, inetd-spawned or otherwise, etc, etc. Everyone remembers, of course, the UWash IMAP server :-). Maybe the better approach is to have a new Makefile entry AUDIT_ME=yes for code that the porter feels might benefit from auditing. On the other hand, root can and probably will run any port installed so who cares :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message