From owner-freebsd-security@FreeBSD.ORG Mon Aug 11 16:21:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B59D37B401 for ; Mon, 11 Aug 2003 16:21:34 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A26A043F3F for ; Mon, 11 Aug 2003 16:21:33 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 370F25482B; Mon, 11 Aug 2003 18:21:33 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id C779B6D461; Mon, 11 Aug 2003 18:21:32 -0500 (CDT) Date: Mon, 11 Aug 2003 18:21:32 -0500 From: "Jacques A. Vidrine" To: Mike Hoskins Message-ID: <20030811232132.GB46629@madman.celabo.org> References: <20030811133749.U27196@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030811133749.U27196@fubar.adept.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org Subject: Re: realpath(3) et al X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 23:21:34 -0000 On Mon, Aug 11, 2003 at 02:08:27PM -0700, Mike Hoskins wrote: > First, I hope that this message is not considered flame bait. As someone > who has used FreeBSD for for 5+ years now, I have a genuine interest in > the integrity of our source code. > > Second, I hope that this message is not taken as any form of insult or > finger pointing. No worries. > Software without bugs does not exist, and I think we all > know that. Acknowledging that point and working to mitigate the risks > associated with it would seem to be our only real option. Yes, we are all agreed here. > That said, every time something like the recent realpath(3) issue comes > to light, I find myself asking why I haven't at least tried to do more to > review our source code or (more desirable) enable 3rd-party audits. More people should ask themselves that :-) One can talk about auditing code, or one can do it. Even in projects where careful auditing has been the primary focus, things get missed. For example, OpenBSD missed this exact same bug and corrected it about the same time as everyone else. > My question is... If enabling a 3rd-party audit for some target release > (5.3+ I'd assume) is desirable, what would be needed money-, time- and > other-wise? People need to read code, that's all. You can share your code reading insights at freebsd-audit@freebsd.org, or if you believe it is sensitive, with security-team@freebsd.org. We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's auditing. Also, many commits that are just `cleanup' are the result of a kind of `auditing'. What we perhaps lack is coordination. This is not easy in a volunteer environment, but perhaps something as simple as a `scoreboard' with `these files being audited/have been audited by whatsmyname' would be an improvement. On the other hand, in my experience, people are quick to volunteer and slow to follow up --- usually disappearing. :-( Of course, those that do follow up often become committers themselves :-) > I'm willing to invest both time and money to make this > happen. I'd expect such an endeavor to be tedious and expensive... and, > of course, it would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number changes.) > However, perhaps doing an audit of the base system now would help our > image in the security community? *shrug* I didn't know we had an image problem in the security community. Probably the single most effective way to get an audit done is to read the code :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se