Date: Fri, 11 Aug 2000 13:20:15 -0700 (PDT) From: dima@rdy.com (Dima Ruban) To: Christopher Masto <chris@netmonger.net> Cc: "Chris D. Faulhaber" <jedgar@fxp.org>, Warner Losh <imp@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <200008112020.NAA18859@sivka.rdy.com> In-Reply-To: <20000811144136.A12290@netmonger.net> "from Christopher Masto at Aug 11, 2000 02:41:48 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Christopher Masto writes: > On Fri, Aug 11, 2000 at 02:29:37PM -0400, Chris D. Faulhaber wrote: > > > > Don't build suidperl by default. Make users specifically enable its > > > > building. > > > > > > Umm.. isn't that a bit of a radical change? Any reason for it? > > > > Any reason against it? Given the security hole found under Linux and > > potential problems of Yet Another Suid Binary, it seems a good > > idea. Also, see the recent discussions on FreeBSD-security. > > The reason against it is that it's a standard part of Perl, and a very > useful one. Without it, those who install from binary, or don't know > to set this option, will not be able to run setuid Perl programs. > Since Perl has some features specifically designed to aid in writing > secure setuid programs, removing suidperl could actually cause a > revenge effect and end up resulting in _more_ security holes. How do you see that resulting in _more_ security holes? If /usr/bin/suidperl doesn't exist and some program referes to it, it will give you "command not found" (or similar) message. > This was a strange interaction bug in a program which is very well > inspected, has a good security reputation, was fixed very quickly, and As Warner pointed out, this was a second problem with suidperl for the last 3 (or maybe 2) years. Generally it's more than enough to seriousely think about nuking it from the default installation. > didn't even apply to FreeBSD. It seems a big of an overreaction to > disable suidperl because of it. I don't think we overreacted. > As Warner said on freebsd-security, if you're paranoid, you can just > delete suidperl yourself. > > If this change is not backed out, I think it is important to at least I do not believe it will be backed out. > come up with an easy way to get suidperl without building from source. > We should not force this limitation on casual users. > -- > Christopher Masto Senior Network Monkey NetMonger Communications > chris@netmonger.net info@netmonger.net http://www.netmonger.net > > Free yourself, free your machine, free the daemon -- http://www.freebsd.org/ > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008112020.NAA18859>