Date: Sat, 12 Sep 1998 23:35:54 -0500 (EST) From: John Fieber <jfieber@indiana.edu> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd Message-ID: <Pine.BSF.4.02A.9809122252530.2501-100000@fallout.campusview.indiana.edu> In-Reply-To: <Pine.SUN.3.96.980912200252.21513B-100000@roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[topic drift from security to ports; CC: added]
On Sat, 12 Sep 1998, Roger Marquis wrote:
> For one thing 'make -n install' typically doesn't yield readable
> information unless you first 'cd work/*'.
'more pkg/PLIST' is generally more efficient......if the PLIST is
accurate.
> Secondly, while port A installs under /usr/<newdir>, port B
> installs to /usr/local/etc and port C in /usr/libexec, ...
> You can never be sure what is going where and it's a rare
> port that can be uninstalled with 'make uninstall'.
I have 103 ports installed on my machine now. Not one of them
*ever* installed anything in /usr/<newdir>---I would have noticed
right away because my /usr file system is read only. If you find
a port that installs something (a) somewhere off limits or (b)
somewhere okay but in a bone-headed layout, by all means submit a
bug report to the maintainer.
Is it better to make ports conform to a strict BSD style file
layout or stick with the style native to the software being
ported? If I only managed FreeBSD systems, I'd opt for strict
BSD but since I manage a number of other platforms I also value
cross-platform consistency which may sometimes mean using an
un-BSD-like layout. Short of providing multiple layout options
in the port, you can't satisfy everyone.
A majority of the ports I've installed uninstall pretty cleanly.
The most common offense is leaving empty directories around.
Again, this is all a volunteer project. If you install a port
and spot a problem, submit a patch to the maintainer listed in
the makefile!
A more frustrating problem for me are ports that are not
${PREFIX} != /usr/local compatible which makes it a hassle to
install multiple version of a port or separate ports that have
common files. Also, I occasionaly go through phases of liking
SysV way of installing things in /opt/<portname>,
/etc/opt/<portname> and /var/opt/<portname> which a simple 'make
PREFIX=/opt/<portname>' doesn't really accomplish.
> There's also no way to validate all of the source hosts listed in the
> Makefile. We've downloaded hacked versions of a port and had to
> redownload and recompile when the hack became obvious (through corrupt
> syslogs and attempts to grab /pwd.db).
Um, that is what the checksums on the distfiles are for. Not a
100% guarantee of not being hacked, but a reasonable defense if
you trust the person who made the port. Again, I hope you
reported these incidents to the maintainer of the port.
-john
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9809122252530.2501-100000>