From owner-freebsd-audit Wed Aug 2 11:55: 6 2000 Delivered-To: freebsd-audit@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 412AE37B926; Wed, 2 Aug 2000 11:55:03 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: from earth (oca-c1s5-31.mfi.net [209.26.94.216]) by pawn.primelocation.net (Postfix) with ESMTP id D96F39B1C; Wed, 2 Aug 2000 14:55:00 -0400 (EDT) Date: Wed, 2 Aug 2000 14:55:00 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: jedgar@earth.causticlabs.com To: Brian Fundakowski Feldman Cc: Kris Kennaway , freebsd-audit@freebsd.org Subject: fuzz usage (was: Re: cvs commit: ports/security/fuzz Makefile) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Moving to FreeBSD-Audit On Tue, 1 Aug 2000, Brian Fundakowski Feldman wrote: > On Tue, 1 Aug 2000, Kris Kennaway wrote: > > > See the preliminary list I posted to -audit the other day for some easy > > and not-so-easy candidates :-) > > Right :) For what it's worth, sed survives a few thousand fuzz runs. I > am using fuzz with kern.chroot_allow_non_suser enabled (don't use more > permissions for anything than necessary...), but I think I'll set up a > jail to run it in. Trusting running programs as root is hard, but even > harder is trusting them with untrusted input ;) > > I'm gonna see what bugs I can find with fuzz in the non-gnu stuff, of > course starting with your suggestions, and I'll post any specifics to > -audit. I encourage anyone else who's looking for some useful things > to do to join -audit, too! > Of course, beware of using fuzz on a machine with multiple users. Fuzz creates temp files in /tmp using the tested program's name and run number (e.g. make.9999, make.9998, etc). While it does clean up after itself, the program does no sanity checking for links, etc, and will gladly overwrite an existing file (or the other end of a sym link). ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message