Skip site navigation (1)Skip section navigation (2)
Date:      22 Nov 2001 13:00:12 -0800
From:      swear@blarg.net (Gary W. Swearingen)
To:        "Anthony Atkielski" <anthony@freebie.atkielski.com>
Cc:        "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: setuid on nethack?
Message-ID:  <g2vgg2v7vn.gg2@localhost.localdomain>
In-Reply-To: <016601c1733d$7a516b00$0a00000a@atkielski.com>
References:  <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com>

next in thread | previous in thread | raw e-mail | index | archive | help
"Anthony Atkielski" <anthony@freebie.atkielski.com> writes:

> When I add ports and stuff to my system, sometimes they are picked up from some
> bizarre FTP sites, and in cases where the executables do not have to be trusted,
> some guidelines on how better to secure them would be welcome.  I know that
> often they are being rebuilt from source before installation, but it isn't
> really practical to read through the source for every port just to look for
> suspicious code.

I've also worried about this sort of thing since learning the ports
system last winter.  There's a lot of downloading and running of scripts
as root going on and it's scary, especially after you've spent many days
tring to improve your security.  A few more observations on the subject:

The main defense seems to be the fear of being tracked down by hackers
more skillful than most crackers, aided by the use of MD5 to verify that
you're installing the same thing that someone else has already installed
and found (with meager testing, sadly, but necessarily) to work OK.

I've read of little vandalware on FreeBSD (or Linux).  The risk seems
acceptable for most people, at least those who do backups.  There also
might not be any less risky practical alternatives for many.

If one learns the details of the ports system, one can do all or most of
the ports stuff as a regular user, downloading, building, and installing
to non-standard, non-root-protected directories.  Someone posted some
clues about this on -questions (or -stable?) withing the last couple of
weeks, but I can't find my copy of it.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?g2vgg2v7vn.gg2>