Date: Fri, 23 Nov 2001 12:35:42 -0500 From: Brian T.Schellenberger <bts@babbleon.org> To: "Anthony Atkielski" <anthony@freebie.atkielski.com>, "Gary W. Swearingen" <swear@blarg.net> Cc: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: setuid on nethack? Message-ID: <01112312354202.00791@i8k.babbleon.org> In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com> References: <014201c17336$40653f90$0a00000a@atkielski.com> <g2vgg2v7vn.gg2@localhost.localdomain> <03a801c17399$ba011c30$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 22 November 2001 16:07, Anthony Atkielski wrote:
> Alas! This does not make me feel warm and fuzzy! It's a good thing I'm
> not installing this at a bank.
If I were installing FreeBSD at a bank, I would not install from ports or
over the network at all; I'd get the installation CDs and then track the
security-fixes track.
And I'd wait at least a month after the new release before installing it so
wait for any potential problem to get shaken out.
A maximally safe system is fundamentally incompatible with a maximally "cool"
or "up to date" system.
That said, the ports are surely a lot safer than any Windows-based system;
the MD5 give you some assurance that it is what you think it is, Unixy
systems are less of a magnet for malware, and the source *is* available; even
if you don't scan it, others will.
If you don't like to live dangerously, then follow this simple rule:
Download the ports but wait at least a week before you actually upgrade or
install any of them, and watch the ports and other lists in the meantime. If
there are severe problems, somebody else will find them & post.
>
> ----- Original Message -----
> From: "Gary W. Swearingen" <swear@blarg.net>
> To: "Anthony Atkielski" <anthony@freebie.atkielski.com>
> Cc: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>;
> <freebsd-security@FreeBSD.ORG>
> Sent: Thursday, November 22, 2001 22:00
> Subject: Re: setuid on nethack?
>
> > "Anthony Atkielski" <anthony@freebie.atkielski.com> writes:
> > > When I add ports and stuff to my system, sometimes they are picked up
> > > from
>
> some
>
> > > bizarre FTP sites, and in cases where the executables do not have to be
>
> trusted,
>
> > > some guidelines on how better to secure them would be welcome. I know
> > > that often they are being rebuilt from source before installation, but
> > > it isn't really practical to read through the source for every port
> > > just to look for suspicious code.
> >
> > I've also worried about this sort of thing since learning the ports
> > system last winter. There's a lot of downloading and running of scripts
> > as root going on and it's scary, especially after you've spent many days
> > tring to improve your security. A few more observations on the subject:
> >
> > The main defense seems to be the fear of being tracked down by hackers
> > more skillful than most crackers, aided by the use of MD5 to verify that
> > you're installing the same thing that someone else has already installed
> > and found (with meager testing, sadly, but necessarily) to work OK.
> >
> > I've read of little vandalware on FreeBSD (or Linux). The risk seems
> > acceptable for most people, at least those who do backups. There also
> > might not be any less risky practical alternatives for many.
> >
> > If one learns the details of the ports system, one can do all or most of
> > the ports stuff as a regular user, downloading, building, and installing
> > to non-standard, non-root-protected directories. Someone posted some
> > clues about this on -questions (or -stable?) withing the last couple of
> > weeks, but I can't find my copy of it.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Brian T. Schellenberger . . . . . . . bts@wnt.sas.com (work)
Brian, the man from Babble-On . . . . bts@babbleon.org (personal)
http://www.babbleon.org
-------> Free Dmitry Sklyarov! (let him go home) <-----------
http://www.eff.org http://www.programming-freedom.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01112312354202.00791>