From owner-freebsd-security Fri Nov 23 1: 9:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id B963C37B418; Fri, 23 Nov 2001 01:09:16 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2F13A66B74; Fri, 23 Nov 2001 01:09:16 -0800 (PST) Date: Fri, 23 Nov 2001 01:09:15 -0800 From: Kris Kennaway To: Anthony Atkielski Cc: "Gary W. Swearingen" , FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011123010915.A35695@xor.obsecurity.org> References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:07:42PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 22, 2001 at 10:07:42PM +0100, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm not > installing this at a bank. If you're going to run software written by Joe Random Coder, there's always an element of risk. There's nothing about the FreeBSD ports collection which increases this risk, and in fact it makes the situation slightly safer since we check all "spontaneous" changes in the md5 checksum of a distfile where the distfile changes with no change in the software version (e.g. once a few years ago someone broke into the main ftp server for the tcp_wrappers package, and added backdoor code to it. The compromised software could not be installed from the FreeBSD port unless you manually issued an override of the checksum). We have also found several isolated instances where software authors had 'spyware' code which reports details back to the author; these ports were summarily removed from the ports collection, again making things safer for the end user. Thirdly, since you have the source code you are free to examine it for yourself and evaluate your level of risk according to whichever criteria you choose. Kris --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/hI7Wry0BWjoQKURAthmAKDPgmZbU97GfKlPUnWaYMK1l0jwDQCeJKcn 5DBNwgzvQb/aBI0aYZS09h4= =QuWq -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message