From owner-freebsd-security Fri Nov 23 10:48:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from Mail6.nc.rr.com (fe6.southeast.rr.com [24.93.67.53]) by hub.freebsd.org (Postfix) with ESMTP id BB59C37B405; Fri, 23 Nov 2001 10:48:45 -0800 (PST) Received: from i8k.babbleon.org ([66.57.85.154]) by Mail6.nc.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Fri, 23 Nov 2001 12:36:33 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Brian T.Schellenberger To: "Anthony Atkielski" , "Gary W. Swearingen" Subject: Re: setuid on nethack? Date: Fri, 23 Nov 2001 12:35:42 -0500 X-Mailer: KMail [version 1.2] Cc: "FreeBSD Questions" , References: <014201c17336$40653f90$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com> MIME-Version: 1.0 Message-Id: <01112312354202.00791@i8k.babbleon.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 22 November 2001 16:07, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm > not installing this at a bank. If I were installing FreeBSD at a bank, I would not install from ports or over the network at all; I'd get the installation CDs and then track the security-fixes track. And I'd wait at least a month after the new release before installing it so wait for any potential problem to get shaken out. A maximally safe system is fundamentally incompatible with a maximally "cool" or "up to date" system. That said, the ports are surely a lot safer than any Windows-based system; the MD5 give you some assurance that it is what you think it is, Unixy systems are less of a magnet for malware, and the source *is* available; even if you don't scan it, others will. If you don't like to live dangerously, then follow this simple rule: Download the ports but wait at least a week before you actually upgrade or install any of them, and watch the ports and other lists in the meantime. If there are severe problems, somebody else will find them & post. > > ----- Original Message ----- > From: "Gary W. Swearingen" > To: "Anthony Atkielski" > Cc: "FreeBSD Questions" ; > > Sent: Thursday, November 22, 2001 22:00 > Subject: Re: setuid on nethack? > > > "Anthony Atkielski" writes: > > > When I add ports and stuff to my system, sometimes they are picked up > > > from > > some > > > > bizarre FTP sites, and in cases where the executables do not have to be > > trusted, > > > > some guidelines on how better to secure them would be welcome. I know > > > that often they are being rebuilt from source before installation, but > > > it isn't really practical to read through the source for every port > > > just to look for suspicious code. > > > > I've also worried about this sort of thing since learning the ports > > system last winter. There's a lot of downloading and running of scripts > > as root going on and it's scary, especially after you've spent many days > > tring to improve your security. A few more observations on the subject: > > > > The main defense seems to be the fear of being tracked down by hackers > > more skillful than most crackers, aided by the use of MD5 to verify that > > you're installing the same thing that someone else has already installed > > and found (with meager testing, sadly, but necessarily) to work OK. > > > > I've read of little vandalware on FreeBSD (or Linux). The risk seems > > acceptable for most people, at least those who do backups. There also > > might not be any less risky practical alternatives for many. > > > > If one learns the details of the ports system, one can do all or most of > > the ports stuff as a regular user, downloading, building, and installing > > to non-standard, non-root-protected directories. Someone posted some > > clues about this on -questions (or -stable?) withing the last couple of > > weeks, but I can't find my copy of it. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Brian T. Schellenberger . . . . . . . bts@wnt.sas.com (work) Brian, the man from Babble-On . . . . bts@babbleon.org (personal) http://www.babbleon.org -------> Free Dmitry Sklyarov! (let him go home) <----------- http://www.eff.org http://www.programming-freedom.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message