From owner-freebsd-security Wed Dec 1 13:30:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from arden.iss.net (arden.iss.net [208.27.172.3]) by hub.freebsd.org (Postfix) with ESMTP id 27A5A15095 for ; Wed, 1 Dec 1999 13:30:08 -0800 (PST) (envelope-from kjarvis@arden.iss.net) Received: (from kjarvis@localhost) by arden.iss.net (8.8.5/8.7.3) id QAA01815 for freebsd-security@freebsd.org; Wed, 1 Dec 1999 16:29:51 -0500 From: "Keith R. Jarvis" Message-Id: <199912012129.QAA01815@arden.iss.net> Subject: Re: [Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] ] To: freebsd-security@freebsd.org Date: Wed, 1 Dec 1999 16:29:51 -0500 (EST) In-Reply-To: <19991201132151.A1226@norn.ca.eu.org> from "Chris Piazza" at Dec 1, 99 01:21:51 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On Wed, Dec 01, 1999 at 01:02:57PM -0700, Brock Tellier wrote: > > > > Personally, I don't think it is at all unreasonable to do a full 2700 port > > install via sysinstall and audit the 200 or so suid-programs. Sure, it's > > important that the others be free from symlink problems and in a few cases, > > buffer overflows, but focusing, as I did, on the suids wouldn't be > > ridiculously difficult. More than 50% of these programs could safely lose > > their suid-bit. Considering the number of people who will actually need > > "xmindpath" suid vs. the number of people who just do a full install because > > Excellent. So when can we expect you to finish this project? > Now thats shooting the messenger -- Keith R. Jarvis (kjarvis@iss.net) http://xforce.iss.net Internet Security Systems, Inc. +1-678-443-6149 (direct) Adaptive Network Security for the Enterprise +1-678-443-6479 (fax) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message