From owner-freebsd-security  Sat Sep 30 16: 6: 3 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id EE7BD37B502
	for <security@FreeBSD.ORG>; Sat, 30 Sep 2000 16:05:58 -0700 (PDT)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id TAA45861;
	Sat, 30 Sep 2000 19:05:51 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sat, 30 Sep 2000 19:05:51 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Warner Losh <imp@village.org>
Cc: Jordan Hubbard <jkh@winston.osd.bsdi.com>, security@FreeBSD.ORG
Subject: Re: Security and FreeBSD, my overall perspective 
In-Reply-To: <200009302258.QAA13969@harmony.village.org>
Message-ID: <Pine.NEB.3.96L.1000930190059.44353B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Sat, 30 Sep 2000, Warner Losh wrote:

> I do like the trust level metric.  For ports that we've extensively
> reviewed, we could rate them 1.  For ports that we haven't, but that
> run as normal users we could rate them as 2.  For ports we haven't
> that run at elevated privs, we could default to 5 (all these assume N
> is 10).

I see a few axes here, which may be reducable down to a single axis of
common cases, but:

Exposure:

Whether or not the application should, in normal use, be exposed to data
of untrusted origin (e-mail, data files from untrusted users, socket
connections in or out-bound, etc).

  - Intended to be run with exposure to untrusted environments
  - Not intended to run with exposure to untrusted environments

Auditing:

Whether or not the application has been audited by FreeBSD security
developers, or other trusted parties.

  - Known decent
  - Unknown
  - Known bad

Privilege:

What amount of privilege and access this code will be run as, determining
the level of damage possible as a result of an exploit.

  - Run with elevated privilege
  - Run by normal users
  - Run sandboxed

Just some initial thoughts.  Pine rates poorly on all counts: it is
exposed to untrusted data (e-mail, SMTP, IMAP), is known bad in terms of
past and current exploitable bugs, and is run by many users, potentially
including the root user.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message