Date: Tue, 4 Jul 2000 18:48:50 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: kienow@infinet.com Cc: ports@freebsd.org Subject: Re: I would like to help audit the ports collection. Message-ID: <Pine.BSF.4.21.0007041844540.36058-100000@freefall.freebsd.org> In-Reply-To: <395B713A.7A2022E5@infinet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Jun 2000 kienow@infinet.com wrote: > Hello, > I have some spare time I would like to use to audit the ports > collection for security vulnerabilities. I do not have the hard drive > space or a fast enough connection to download > and install all of the ports collection. So I can check for setuid > files. I was wondering if > I could obtain a list of ports that install setuid binary files for > auditing. If you could please get > me this information it would be greatly appreciated, and hopefully > helpful to the FreeBSD > project. Thanks for your offer. I'm still trying to get that master list myself, but when I do I'll get back to you, as well as trying to organize some kind of more formal effort. In the meantime, you can look at the installation logs for a port on http://bento.freebsd.org, which include a section listing the set[ug]id and world-writable files the port installs - I hope to get these extracted into a master list of things to investigate. But for now you can just pick ports at random until you find a setuid one, and then attack it :-) If you discover any problems, please send them directly to me at kris@FreeBSD.org or security-officer@FreeBSD.org. Thanks, and good hunting! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007041844540.36058-100000>