Date: Fri, 18 Jun 1999 14:55:22 -0500 (CDT) From: Joe Greco <jgreco@ns.sol.net> To: synk@swcp.com (Brendan Conoboy) Cc: security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) Message-ID: <199906181955.OAA78685@aurora.sol.net> In-Reply-To: <199906181936.NAA17158@kitsune.swcp.com> from Brendan Conoboy at "Jun 18, 1999 1:36:23 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Er, don't you upgrade from source when there's a security problem in > > > userland but no new binary distribution? I do. > > > > Good grief, no! *IF* the bug is in a service that you are using, > > you update the source, build and test the new service on an off-line > > workstation or server, and when you're certain the changes are > > reliable, move the new binaries to the target server. > > Oh, I see. We're having a semantical difficulty. I would still call > that upgrading from source. I thought the original poster meant that > one ought to to wait for 3.2-release to come out when there was a > serious bug in 3.1, to essentially leave the source out of it. The OS includes no useful applications - therefore you are correct when you say that you should wait for 3.2-R to come out. Any server application, be it sendmail, named, ntpd, apache, squid, etc etc etc., needs to be compiled fresh from the vendor. Maintaining this as a secure service is a completely different issue. FreeBSD is highly nonoptimal for this sort of thing, as it comes with everything thrown into /usr/local or whereever the hell else the porter felt it should go. As part of the security paranoia around here, subsystems get top-level mount points (generally on separate disks) so that the service and the server are effectively divorced at the filesystem level. This allows either to be upgraded with a minimum of fuss. For example, Web servers around here are all rooted in /www. The server is /www/sbin/httpd, the configs are in /www/conf, etc. Same for ftp, squid, etc. The idea is that you are creating a platform on which to run a service: make the platform as secure and as low-maintenance as possible. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906181955.OAA78685>