From owner-freebsd-stable Tue May 29 22:13: 9 2001 Delivered-To: freebsd-stable@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id F41C637B423 for ; Tue, 29 May 2001 22:13:06 -0700 (PDT) (envelope-from DougB@DougBarton.net) Received: from DougBarton.net (master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id WAA70907; Tue, 29 May 2001 22:10:23 -0700 (PDT) (envelope-from DougB@DougBarton.net) Message-ID: <3B1480BA.3262FBA8@DougBarton.net> Date: Tue, 29 May 2001 22:10:18 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Vivek Khera Cc: stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends References: <15124.4635.887375.682204@onceler.kciLink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Vivek Khera wrote: > > Given some recent security issues with older versions of ssh, and that > some attacks involve replacing the ssh binary on compromized systems > to capture additional passwords, wouldn't it be prudent to mark the > ssh related binaries as schg? The rsh related ones already are so > marked, and it just seems to follow to me that ssh related binaries > should as well. > > If I set the flags manually, will it barf on make installworld next > time around or does installworld unset all schg flags before > installing? It does not. As you've encountered, there will be no consensus on adding schg to the default install of , so it's on you to adopt a suitable local policy. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message