From owner-freebsd-security  Wed Aug  7 09:32:09 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA14474
          for security-outgoing; Wed, 7 Aug 1996 09:32:09 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA14466
          for <freebsd-security@freebsd.org>; Wed, 7 Aug 1996 09:32:08 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id JAA02642; Wed, 7 Aug 1996 09:32:04 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199608071632.JAA02642@kdat.calpoly.edu>
Subject: Two problems I have with FreeBSD security
To: lchamber@ec.camitel.com (Luc Chamberland)
Date: Wed, 7 Aug 1996 09:32:04 -0700 (PDT)
Cc: freebsd-security@freebsd.org
In-Reply-To: <XFMail.960806234107.lchamber@ec.camitel.com> from "Luc Chamberland" at Aug 6, 96 07:27:31 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> >I'm actually interested in a 'secure' release of FreeBSD, with daemons not
> >running as root, no complicated mailers, few to no setuid binaries -- in
> >essence, what I do to my FreeBSD systems as soon as I install them.
> >
> >Unfortunately, I have recently started a very demanding job and do not have
> >the time to contribute to such a project.  My apologies.
> 
> The FreeBSD on a scale of 10, how many points do you gives for security?
> FreeBSD seems insecure for you!, this is same for all intruders!!!!

I'd give FreeBSD an 8.  Usually, patches for security holes come out very
quickly, and the developers are reachable.  I took one point off of ten
because of the legacy issues (refusals to relinquish bin ownership of files
in /bin and /usr/bin) and one for too much desire to cater to new users at
the expense of security (setuid root ppp/sliplogin... Why can't these be
setgid uucp to open the modem device?)

If the developers handled these two issues, I think I'd upgrade my rating to
a 9.5.  :-)

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854