From owner-freebsd-security Tue Jun 3 10:32:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA10733 for security-outgoing; Tue, 3 Jun 1997 10:32:25 -0700 (PDT) Received: from phobos.frii.com (phobos.frii.com [204.144.241.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA10723 for ; Tue, 3 Jun 1997 10:32:20 -0700 (PDT) From: gnat@frii.com Received: from elara.frii.com (elara.frii.com [204.144.241.9]) by phobos.frii.com (8.8.5/8.8.4) with ESMTP id LAA05207; Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Received: (from gnat@localhost) by elara.frii.com (8.8.5/8.6.9) id LAA02257; Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Date: Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Message-Id: <199706031731.LAA02257@elara.frii.com> To: Matthias Buelow Cc: ghelmer@cs.iastate.edu (Guy Helmer), freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> References: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Mime-Version: 1.0 (generated by tm-edit 7.103) Content-Type: text/plain; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Matthias Buelow writes: > routine for me to chmod 0 sperl/setuidperl etc. My standard installation process is now to: - build and install perl5.004 with a suidperl into /usr/local - make sure /usr/bin and /usr/local have perl and perl5 hard- linked to /usr/local/bin/perl5.004 - make sure /usr/bin/ and /usr/local/bin/ have perl4 being the perl4 that came with the system - make sure 5.004 suidperl is hardlinked between /usr/local/bin and /usr/bin - delete any *perl* crap that came with the system (curseperl and taintperl and sperl and any other oddities I stumble across in /usr/bin/) I have a question: because 2.2 and 2.1 seem to have /dev/fd/n where n is a file descriptor number, does this mean that FreeBSD doesn't need a suidperl because setuid scripts are now safe in the kernel? Nat