From owner-freebsd-security  Mon Oct 18  9: 3: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id AEB3214CA1
	for <freebsd-security@FreeBSD.ORG>; Mon, 18 Oct 1999 09:02:54 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Mon, 18 Oct 1999 10:02:51 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma019264; Mon, 18 Oct 99 10:02:47 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA50106; Mon, 18 Oct 1999 10:01:22 -0600 (MDT)
Date: Mon, 18 Oct 1999 10:01:22 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: tom brown <tmcb1971@yahoo.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: General securiy of vanilla install WAS [FreeSSH]
In-Reply-To: <19991017043046.5909.rocketmail@web115.yahoomail.com>
Message-ID: <Pine.BSF.4.10.9910180940240.50020-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 16 Oct 1999, tom brown wrote:

> It's a mean world out there, and FreeBSD is a good contender as
> security goes, but not straight out of the box!

I think this borders more on hyperbole.  What is it "straight out of the
box" that strikes you as so insecure?  When was the last time that a
daemon considered "part of FreeBSD" (i.e. not one of the ports) had a
remote root vulnerability?  And what about local root vulnerabilities?  
The fts-bug-and-core-dumping-follows-symbolic-links hole was the last one
in recent memory, but how would restricting what gets installed at
installation time have affected that in any way?

Just saying something like "I have X number of SUID/SGID programs
installed or Y number of daemons running from inetd on my fresh vanilla
install so I am insecure" makes it sound scary, but how many exploits do
you have for each of those?  And if you're advanced enough to be reading
this list, then you'd be advanced enough to turn off services you don't
need (which is always a good idea).

I feel that the vanilla install strikes a delicate balance between
security and usability.  Inexperienced users will have enough running to
see how FreeBSD works without undue exposure, and experienced users have
only a few things to turn off if they're worried about them.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message