From owner-freebsd-security Tue Oct 3 16:57:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1712537B502; Tue, 3 Oct 2000 16:57:48 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA24261; Tue, 3 Oct 2000 17:56:02 -0600 (MDT) Message-Id: <4.3.2.7.2.20001003175130.043dc4c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 03 Oct 2000 17:55:55 -0600 To: Alfred Perlstein , Peter Wemm From: Brett Glass Subject: Re: cvs commit: src/usr.bin/finger finger.c Cc: Jonathan Lemon , Paul Richards , Jordan Hubbard , Christopher Masto , Warner Losh , Kris Kennaway , Joseph Scott , Brian Somers , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <20001003164236.Q27736@fw.wintelcom.net> References: <200010032326.e93NQ7H17213@netplex.com.au> <20001003155638.B73409@hub.freebsd.org> <200010032326.e93NQ7H17213@netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:42 PM 10/3/2000, Alfred Perlstein wrote: >There's a large difference between kernel and userland here, kernel >changes need to be backported relatively quickly while userland >can allow for a longer test period. Seperate policies may serve >us better than one that covers the entire tree. What about root compromises in userland -- e.g. in setuid apps, daemons that run (or at least start) as root, etc.? It seems to me that the urgency of backporting a fix has more to do with the potential risk one incurs by running the unfixed code, rather than with which "ring" the code is in. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message