From owner-freebsd-current Tue Nov 23 15:22:12 1999 Delivered-To: freebsd-current@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 97E5C15433; Tue, 23 Nov 1999 15:21:53 -0800 (PST) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id SAA03005; Tue, 23 Nov 1999 18:21:17 -0500 (EST) (envelope-from mwlucas) Message-Id: <199911232321.SAA03005@blackhelicopters.org> Subject: Re: FreeBSD security auditing project. In-Reply-To: from Kris Kennaway at "Nov 23, 1999 2: 8:31 pm" To: kris@hub.freebsd.org (Kris Kennaway) Date: Tue, 23 Nov 1999 18:21:17 -0500 (EST) Cc: current@freebsd.org From: mwlucas@gltg.com X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Here is my 0.02: > > > > I think it would be useful to identify "unsafe" functions, so that > > anyone can participate in the "eyeball" portion of the game. This means > > that we need eyeballed, identified as a (potential) problem and fixed, > > as well as some other possiblities. There is a lot of code out there, > > and it would help if we could involve the non-programmers in the search. > > > > Comments? > > Yep, this is part of the "education" component: "this is what an unsafe > function call looks like, and this is how to fix it". There's bound to be > enough useful documentation out there which we can collect and point to. Speaking as a beginning programmer, longtime FreeBSD user: Given the above, I would be happy to contribute eyeballs. As a network engineer, I spend a lot of time alone with my laptop. Might I suggest a set of instructions along the lines of: a) This is what an unsafe function call looks like b) This is a typical workaround for unsafe call X, Y, Z c) Pick a chunk of code. Begin looking for these calls. d) when you find one of these calls 1) Apply the workaround 2) Make sure the program still compiles 3) submit patch to security-audit-coordinator@freebsd.org e) Repeat until intimately familiar with BSD In fact, I'll go further: If someone can point out a reliable resource on the Net for a) and b), I'll be happy to write up a first draft of "The FreeBSD Security Audit for Beginners". I'm sure that any number of programmers out there would be happy to review it for technical accuracy before putting it into circulation. After all, FreeBSD articles are covering Christmas this year. I suppose the least I can do is write something for you folks for free. ;) ==ml To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message