Date: Sat, 26 Jan 2002 00:29:05 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Ryan Thompson <ryan@sasknow.com> Cc: Kris Kennaway <kris@obsecurity.org>, ports@FreeBSD.ORG Subject: Re: Improved install-time ports security audit patches Message-ID: <20020126002905.A75660@xor.obsecurity.org> In-Reply-To: <20020126021507.H58790-100000@catalyst.sasknow.net>; from ryan@sasknow.com on Sat, Jan 26, 2002 at 02:24:26AM -0600 References: <20020125180735.A71558@xor.obsecurity.org> <20020126021507.H58790-100000@catalyst.sasknow.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 26, 2002 at 02:24:26AM -0600, Ryan Thompson wrote: > > and checks for unsafe functions like gets, mktemp, tempnam, and > > tmpnam (and if you have the PORTS_AUDIT env variable set, also > > sprintf, strcat and strcpy), and reports on their occurrence in a > > binary if they occur in conjunction with the binary being setugid, > > or a network client/server. >=20 > Good stuff. I suppose that this may induce some unwarranted (but > possibly useful) paranoia, with harmless/careful uses of gets et. > al... Any idea how many ports are going to generate these warnings? > I'd guess if it's "most of them", the warnings are likely going to get > ignored by many. But, as with the other warnings, when their box gets > rooted, at least we can say "I told ya so". :-) I don't know yet..I'll put it through a bento run before I commit it to test that. However, *any* port which uses the functions it will warn about by default should be fixed. The paranoid-mode ones are functions which are possible to use safely or not, but are often misused. Kris --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UmjRWry0BWjoQKURAo8BAKColDEGSVPjjAyosFrzJou5Eh+TXQCgwvBP eS+izXvoWKZ1BeI/7+dbvEg= =a/9A -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020126002905.A75660>