From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 15:00:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7306737B401 for ; Wed, 6 Aug 2003 15:00:55 -0700 (PDT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C045E43F75 for ; Wed, 6 Aug 2003 15:00:54 -0700 (PDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (rwcrmhc13) with ESMTP id <2003080622005401500b8b8he>; Wed, 6 Aug 2003 22:00:54 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h76M0nKS020432; Wed, 6 Aug 2003 18:00:53 -0400 (EDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h76M0nkq020429; Wed, 6 Aug 2003 18:00:49 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: freebsd@critesclan.com References: From: Lowell Gilbert Date: 06 Aug 2003 18:00:49 -0400 In-Reply-To: Message-ID: <44llu6v432.fsf@be-well.ilk.org> Lines: 20 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 22:00:55 -0000 writes: > I'm not sure if there is a "deal" to be made over this, but the question > still remains. What do you do with those programs that have not been rebuilt > in a buildworld? Are they security risks? Are they simply things missed in > the make, and someone needs to add them in? > > The impression I have is that anything not rebuilt after the above process > is an error condition that should be addressed. Am I wrong? With a couple of exceptions, you're right. The exceptions, however, are important. One is programs that weren't in the base system to begin with; there are again two types of these: those that have been mistakenly installed to base system directories (this occasionally happens with broken ports), and /stand, which is installed by the initial install but is not part of the base system (if you want an updated version, you have to build it separately). The other exception is things that *used* to be in the base system, but have been removed. These (an example is kernfs support) can be safely removed, but there is currently no mechanism to do so automatically.