Date: Sun, 03 Nov 2002 02:16:20 -0800 From: Doug Barton <DougB@FreeBSD.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: ports@FreeBSD.org Subject: Re: cvs commit: ports/Mk bsd.port.mk Message-ID: <3DC4F774.54F2F91A@FreeBSD.org> References: <200211030543.gA35hnMM018389@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
> * Improve the security-check target: [4]
> - Look for setuid/setgid binaries, and binaries that include
> calls to accept()/recvfrom() (which are likely to be network
> servers or have network server capability)
> - Check these binaries for insecure functions (if PORTS_AUDIT is
> set in the environment, check for a larger set of functions
> such as strcat/strcpy/sprintf)
> - Report network servers that are started by default.
This change might be a little too sensitive:
===> SECURITY REPORT:
This port has installed the following files which may act as
network
servers and may therefore pose a remote security risk to the
system.
/usr/local/bin/dig
/usr/local/bin/dnsquery
/usr/local/bin/host
/usr/local/bin/nslookup
/usr/local/bin/nsupdate
/usr/local/libexec/named-xfer
/usr/local/sbin/irpd
/usr/local/sbin/named
/usr/local/sbin/ndc
Of those, only irpd and named are actually daemons. While I'm all for
letting users know about potential security problems, I think we may
have gone too far here.
Doug
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DC4F774.54F2F91A>