From owner-freebsd-questions Tue May 28 9: 5:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.groupware.uconn.edu (mail.groupware.uconn.edu [137.99.30.56]) by hub.freebsd.org (Postfix) with ESMTP id D10C237B404 for ; Tue, 28 May 2002 09:05:43 -0700 (PDT) Subject: Base system vs. Ports To: freebsd-questions@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: Matt.Smith@uconn.edu Date: Tue, 28 May 2002 12:05:42 -0400 X-MIMETrack: Serialize by Router on Mail/Servers/UConn(Release 5.0.10 |March 22, 2002) at 05/28/2002 12:05:44 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG All -- I'm sure this has been discussed many times before, but my searches on the mailing lists were not revealing the answer to me. I am somewhat new to FreeBSD, and so to this list, so please excuse my lack of understanding on the FreeBSD architecture. Could someone explain to me why certain components, such as SSH, Perl, BIND, etc are included as part of the base system? I would not consider these "part of FreeBSD", nor even necessarily "part of Unix". When I install a FreeBSD system, one of the first procedures I have to go through is installing OpenSSH, Perl, BIND, etc from the ports collection, to make sure I have the latest versions. I understand that not all users wish to have the latest version of a given app -- but would it not be better to have ports for seperate versions, such as openssh-2.9 and openssh-3.2? It seems this would at least allow one to patch (for example) the sshd daemon alone, by upgrading the port, without having to rebuild the entire world. My concern comes from a security perspective -- if I have installed openssh from the ports collection, keeping /usr/local/sbin/sshd patched is as simple as "portuprade openssh". However, this leaves an unpatched /usr/sbin/sshd (until I rebuild the world). Yes, that version sshd is disabled via /etc/rc.conf:SSHD_ENABLE="NO", but if a hacker can (somehow) succesfully start this unpatched daemon, a Point of Entry may be created. And I'm sure we've all had some sort of experience with hackers! :) The fewer potential tools I can provide a hacker, the better. ** BTW -- I am not intentionally picking on openssh -- it just seems to be a very good example for this issue. ** I would rather see the base system be very lean, and these components be installed simply from ports/packages. This is the #1 reason I gave up on Linux distributions such as RedHat. There was too much preinstalled, so it became difficult to "lock-down". FreeBSD /is/ much slimmer, but these few apps still puzzle me. Could someone provide me with the flaw in my reasoning? Thank you all, -Matt Smith Matthew J. Smith matt.smith@uconn.edu University of Connecticut ITS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message