Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Nov 2001 12:35:10 +0200
From:      Peter Pentchev <roam@ringlet.net>
To:        Anthony Atkielski <anthony@freebie.atkielski.com>
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: setuid on nethack?
Message-ID:  <20011122123510.A611@straylight.oblivion.bg>
In-Reply-To: <016601c1733d$7a516b00$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 11:07:16AM %2B0100
References:  <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 22, 2001 at 11:07:16AM +0100, Anthony Atkielski wrote:
> What about in the more general case of games?  Would it be a good idea to set
> game files to games:games and 6511?  And what about other types of executables?
> 
> When I add ports and stuff to my system, sometimes they are picked up from some
> bizarre FTP sites, and in cases where the executables do not have to be trusted,
> some guidelines on how better to secure them would be welcome.  I know that
> often they are being rebuilt from source before installation, but it isn't
> really practical to read through the source for every port just to look for
> suspicious code.
> 
> Are ports examined by anyone anywhere for security problems before being
> included in the FreeBSD list of ports?

Yes, they are being actively examined by the maintainer of the port
in question.  It is the port maintainer's job to look through the changes
from version to version and to decide what and where is good and what
is not.  Cases have been known when a maintainer has decided not to update
the port to a new version, or even to update, but disable or patch
a new "feature" away.

In general, yes, you can trust the ports from the Ports Collection
for rebuilding from source (the source tarballs have their MD5 checksums
recorded in the Ports Collection files), and the packages downloaded
from FreeBSD mirrors (they are built from the Ports Collection).

Still, nothing prevents you from changing BINOWN and BINMODE before
building specific ports; <PLUG FLAVOR=shameless> the penv(1) utility
in ports/sysutils/penv might come handy :) </PLUG>
For packages, the situation is a bit weirder, but you could easily
write a script that parses the output of pkg_info -qL, finds
the executables installed by a package and fixes the ownership/permissions.

G'luck,
Peter

-- 
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011122123510.A611>