Re: setuid on nethack?

From: Brian T.Schellenberger (bts@babbleon.org)
Date: 11/23/01 

From: Brian T.Schellenberger <bts@babbleon.org>
To: "Anthony Atkielski" <anthony@freebie.atkielski.com>, "Gary W. Swearingen" <swear@blarg.net>
Date: Fri, 23 Nov 2001 12:35:42 -0500

On Thursday 22 November 2001 16:07, Anthony Atkielski wrote:
> Alas! This does not make me feel warm and fuzzy! It's a good thing I'm
> not installing this at a bank.

If I were installing FreeBSD at a bank, I would not install from ports or
over the network at all; I'd get the installation CDs and then track the
security-fixes track.

And I'd wait at least a month after the new release before installing it so
wait for any potential problem to get shaken out.

A maximally safe system is fundamentally incompatible with a maximally "cool"
or "up to date" system.

That said, the ports are surely a lot safer than any Windows-based system;
the MD5 give you some assurance that it is what you think it is, Unixy
systems are less of a magnet for malware, and the source *is* available; even
if you don't scan it, others will.

If you don't like to live dangerously, then follow this simple rule:
Download the ports but wait at least a week before you actually upgrade or
install any of them, and watch the ports and other lists in the meantime. If
there are severe problems, somebody else will find them & post.

>
> ----- Original Message -----
> From: "Gary W. Swearingen" <swear@blarg.net>
> To: "Anthony Atkielski" <anthony@freebie.atkielski.com>
> Cc: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>;
> <freebsd-security@FreeBSD.ORG>
> Sent: Thursday, November 22, 2001 22:00
> Subject: Re: setuid on nethack?
>
> > "Anthony Atkielski" <anthony@freebie.atkielski.com> writes:
> > > When I add ports and stuff to my system, sometimes they are picked up
> > > from
>
> some
>
> > > bizarre FTP sites, and in cases where the executables do not have to be
>
> trusted,
>
> > > some guidelines on how better to secure them would be welcome. I know
> > > that often they are being rebuilt from source before installation, but
> > > it isn't really practical to read through the source for every port
> > > just to look for suspicious code.
> >
> > I've also worried about this sort of thing since learning the ports
> > system last winter. There's a lot of downloading and running of scripts
> > as root going on and it's scary, especially after you've spent many days
> > tring to improve your security. A few more observations on the subject:
> >
> > The main defense seems to be the fear of being tracked down by hackers
> > more skillful than most crackers, aided by the use of MD5 to verify that
> > you're installing the same thing that someone else has already installed
> > and found (with meager testing, sadly, but necessarily) to work OK.
> >
> > I've read of little vandalware on FreeBSD (or Linux). The risk seems
> > acceptable for most people, at least those who do backups. There also
> > might not be any less risky practical alternatives for many.
> >
> > If one learns the details of the ports system, one can do all or most of
> > the ports stuff as a regular user, downloading, building, and installing
> > to non-standard, non-root-protected directories. Someone posted some
> > clues about this on -questions (or -stable?) withing the last couple of
> > weeks, but I can't find my copy of it.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message 

-- 
Brian T. Schellenberger . . . . . . .   bts@wnt.sas.com (work)
Brian, the man from Babble-On . . . .   bts@babbleon.org (personal)
                                        http://www.babbleon.org
-------> Free Dmitry Sklyarov!  (let him go home)  <-----------
http://www.eff.org                 http://www.programming-freedom.org 
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: cvsup newbie questions
    ... > of freebsd: ... should I just upgrade the ports ... the ports collection is the collection of 3rd-party apps' Makefiles ... and patches - it just simplifies installing applications. ...
    (freebsd-questions)
  • Re: mentor
    ... > freebsd disks as a gift from a gentleman i met through ... > dependencies upon dependencies or packages in the ... Pay particular attention to the sections on 'Installing FreeBSD', ... 'Installing Packages and Ports' and Appendix A: ...
    (freebsd-questions)
  • Upgrade strategy for production server
    ... I just finished installing 4.9, ... How long will it be until ports start failing due to using an older ... do for their longterm upgrade strategy with FreeBSD on production servers? ...
    (freebsd-stable)
  • Re: How to Update my Freebsd packages kernel and Core
    ... As the others stated, FreeBSD is quite different in that there is a distinction between installing/updating 3rd party software (called ports), or the base operating system. ... I prefer building from source when installing ports or updating the kernel/system since I like to control everything. ...
    (freebsd-questions)
  • Re: Problem with libpng + Mozilla applications on FreeBSD 8.3
    ... downloaded the latest ports tarball and started building them. ... Things went wrong here - the GNOME desktop started crashing with ... with installing and updating of ports. ...
    (freebsd-questions)