Date: Sat, 19 Jun 1999 09:43:11 -0500 (CDT) From: Joe Greco <jgreco@ns.sol.net> To: hibma@skylink.it Cc: security@freebsd.org Subject: Re: make world clobbers (was Re: some nice advice...) Message-ID: <199906191443.JAA57799@aurora.sol.net> In-Reply-To: <Pine.BSF.3.96.990619151621.3827B-100000@heidi.plazza.it> from Nick Hibma at "Jun 19, 1999 3:20: 3 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Please send me a list of the offending ports and I will fix them. I've > fixed > > /usr/ports/[ab]* > > up to now. > > And yes, a lot of ports are broken. But without FreeBSD users saying so, > with a send-pr, no FreeBSD user will be fixing it. > > I am perfectly willing to fix all the ports you require fixing tomorrow > if you pay me a 500 Euro and agree that all the work goes into open > source with the BSD license on it. Or try freebsd-jobs for someone > cheaper. Nick, read again what I said: "None of this should reflect poorly on the ports people... the ports do what they are meant to and are certainly worthwhile. However, for some purposes you just can't use them." Since I do have commit privs, I could certainly fix them myself if I felt that it was a serious issue that affected lots of people. Since I am probably one of a dozen people on the planet who is even aware of the issue, however, and since I generally compile important stuff direct from the source instead of from a port, I don't see such a need. What I _do_ think would be cool - and will certainly contribute myself, if I happen to get to it before somebody else - would be an addition to the port system that allows you to throw an entire application into phk's jail system. This would be very worthwhile as almost everybody could and should run potentially vulnerable services such as httpd in this manner. A lot of people aren't aware of the security features available in FreeBSD, and it is a shame that nobody is publicizing them. I've shown what I do to secure the OS (in a general sort of way). With some other additions like good firewall rules and jail-ized httpd, it'd be cool to advertise the fact that FreeBSD can do things like hardened, intrusion-resistant web service with a minimum of fuss. I am not trying to say anything bad about the ports system or the work that people have done. I am simply looking at it from the point of view of an engineer who is trying to meet various server design requirements, and noting that the current state of affairs for ports doesn't work well for "secure" environments such as I've been describing. If anyone has any interest in working on jail-ing ports, I'd be happy to: a) discuss ideas, b) possibly offer a (small) bounty for particular ports I'd like to see jail-ized, c) see if I can find anyone else interested in sponsoring the work. Otherwise I'll end up doing it myself at some point, although it isn't really high on my priority list. > > I've never seen that to be true; I have a whole _set_ of patches to make > > the Apache and Squid ports relocate into a defined prefix, because setting > > PREFIX=/squid make install doesn't cut it by a long shot. Now, I could > > give you a step-by-step through the various ports that disprove what you > > are trying to say, or you and I could just agree that in principle $PREFIX > > is a reasonable idea but it isn't well-implemented. > > > > Oh, what the heck. > > > > strings /usr/local/sbin/gated | grep '^/' > > /var/db/%s.pid > > /var/run/%s.version > > /etc/%s.conf > > > > I guess one could argue qpage either way; qpage puts its spool over in > > /var/spool/qpage and there isn't much you can configure about that. I > > probably wouldn't want that on a dedicated paging server. Fortunately > > I don't run one. > > > > The last time I looked at the INN port it was a nightmare. But I have > > not looked recently so I guess I won't point to it as a glaring counter- > > example. > > > > Neither Squid nor Apache build a usable configuration if you PREFIX > > elsewhere. > > > > None of this should reflect poorly on the ports people... the ports do > > what they are meant to and are certainly worthwhile. However, for some > > purposes you just can't use them. > > > > ... Joe > > > > ------------------------------------------------------------------------------- > > Joe Greco - Systems Administrator jgreco@ns.sol.net > > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > e-Mail: hibma@skylink.it > > -- ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906191443.JAA57799>