From owner-freebsd-security  Thu Jun 17 22:11:24 1999
Delivered-To: freebsd-security@freebsd.org
Received: from kitsune.swcp.com (swcp.com [198.59.115.2])
	by hub.freebsd.org (Postfix) with ESMTP id BC88C14D67
	for <security@freebsd.org>; Thu, 17 Jun 1999 22:11:22 -0700 (PDT)
	(envelope-from synk@swcp.com)
Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id XAA15842; Thu, 17 Jun 1999 23:11:06 -0600 (MDT)
Date: Thu, 17 Jun 1999 23:11:06 -0600 (MDT)
From: Brendan Conoboy <synk@swcp.com>
Message-Id: <199906180511.XAA15842@kitsune.swcp.com>
To: jgreco@ns.sol.net
Subject: Re:  make world clobbers (was Re: some nice advice...)
Cc: security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> You are mistaken.  Thankfully.  Root had better damn well never execute 
> anything if there is the slightest amount of doubt.

Ah quite right, I misremembered.  Root can run shell scripts that're
mode 0, but only by sayign "sh this" or "perl that".

> By definition, one isn't too interested in running "make world" on an
> application-server-platform class machine.  You're looking for a platform
> on which to run some application, and about the only thing you'll ever
> need to patch would be the kernel.  Anything else (bugs in userland) is
> merely an annoyance that you can live with because you didn't need any of
> that stuff anyways.  And if you _do_ need to upgrade, you'll do it from
> a binary distribution, not from source, because you can't really afford
> to have your application server offline for the unnecessary luxury of
> building the world.

Er, don't you upgrade from source when there's a security problem in
userland but no new binary distribution?  I do.

> the same way next time, and that's a bad thing.  So I work very hard
> to minimize any such efforts.

Sigh, was afraid of that.  I did get a suggestion to update /etc/make.conf
from Dino A. Dai Zovi, which I am thankful for.

> If I do need to upgrade a system, though, I remove the schg flags in
> single user, install the new distribution, and then re-run all my
> system building scripts, all of which should do the right thing for
> whatever situation they find themselves in.

-Brendan (synk@swcp.com)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message