From owner-freebsd-questions Thu Jan 17 8:16:55 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.10]) by hub.freebsd.org (Postfix) with ESMTP id EA1BC37B402 for ; Thu, 17 Jan 2002 08:16:08 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0HGFwYY026914 for ; Thu, 17 Jan 2002 11:15:58 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0HGNtJI098163 for ; Thu, 17 Jan 2002 11:23:55 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.1/8.12.1/Submit) with ESMTP id g0HGNtlJ098159 for ; Thu, 17 Jan 2002 11:23:55 -0500 (COT) Date: Thu, 17 Jan 2002 11:23:55 -0500 (COT) From: Buliwyf McGraw To: freebsd-questions@FreeBSD.ORG Subject: Re: gets() is unsafe (fwd) In-Reply-To: <3C45DE1B.50400@xsb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Buliwyf McGraw wrote: > > > Kris Kennaway, and lo! it spake thus: > > > >>>* Buliwyf McGraw [020114 14:49] wrote: > >>> > >>>> Hi... i was installing several applications (php,xmms,etc) on my > >>>> FreeBSD 4.4 server and i got the next message a lot of times when > >>>> i was compiling: > >>>> > > ^^^^^^^^^ > > > >>>>/usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > >>>>consider using mkstemp() > >>>>/usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > >>>>consider using mkstemp() > >>>> > > [...] > > > > > >>>No, this is a FAQ; it's a bug in the linker which causes it to trip > >>>every single _warn_references() in the library when it links to libc, > >>>regardless of whether the program actually uses the functions in > >>>question. > >>> > > > >>I think it's an even better FAQ: Why, when he's compiling, is it linking > >>against a compat/libc? > >> > > > > Ok... i have to say that i am not an expert on FreeBSD, just a new > > admin... I installed FreeBSD 4.4 on my box (in some way, "everything by > > default")... and then i started to install some applications (apache,php,etc), > > not with the /stand/sysinstall utility, but in the traditional way: > > - Download the *.tar.gz > > - Uncompress, configure, make, make install > > > > I expected no problems... but as you can see, the warning messages give > > an "insecure" sensation. > > I want to do something to avoid that messages when i try to compile a GNU > > application. > > Thanks for your comments and help. > > > The easiest thing to do is to install your applications from the ports. > If you installed the ports collection, these are available under > /usr/ports. For example, to install Apache, you can cd to > /usr/ports/www/apache2 (or apache*) and then just type make install. > Any modifications or special configurations is handled by the port.You > can similarly install mod_php from /usr/ports/www/mod_php4 (or > mod_php3). > > This doesn't seem to be very much related to security. > Cc'ing to freebsd-questions. Off course that this does to seem to be related about security. I was working with FreeBSD 3.4 before upgrade to 4.4... and this problem doesn't exist. My point is: What is the limit between Security and Administration? I mean, some people needs php with support for mysql and imap... and another for oracle and gd... everyone has a lot of different needs... Is possible that the ports could cover all configure requeriments of the roots? Apache offers a lot of configuration options... which of them use the /usr/ports/www/apache2? To use the ports seem to be a "relative" secure standar for the future? As i can see it, if i dont use the ports then the compiler going to tell me if the code of the application that i am installing is insecure or not. Ok, i did this proof... xmms 1.25 has a security problem (i read something about it but i dont know exactly the problem description), the point is, that is the version of xmms in the ports for FreeBSD 4.4. I was looking in the xmms web site (www.xmms.org) and i found a new version of the program (1.26) that fix the problems of the 1.25 ... i download the new source code and try to compile it... but the compiler tould me: "unsafe code" and i got a lot of error/warning messages about it. In the end, i couldn't install it. Lets try the ports i said: % cd /usr/ports/audio/xmms % make % make install No Pain!... No Problem!... No warning messages about insecure code... but the application has security vulnerabilities (1.2.5). The ports are a good/easy way to install applications on the box, but it doesn't offer security garanties. I am not an expert, but i think that the warning messages are more than a bug... it seems like a security standar or something like this... maybe in the future, if the application isn't in the ports, you can not to install in your FreeBSD (dont worry, it is just paranoia). Any way, thanks for your help and comments. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message