From owner-freebsd-security Thu Dec 9 12: 7:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 1D239156B0; Thu, 9 Dec 1999 12:07:11 -0800 (PST) (envelope-from ilmar@ints.ru) Received: (from uucp@localhost) by ints.ru (8.9.2/8.9.2) id XAA28693; Thu, 9 Dec 1999 23:07:04 +0300 (MSK) Received: from ws-ilmar.ints.ru(194.67.173.16) via SMTP by ints.ru, id smtpdV28691; Thu Dec 9 23:07:03 1999 Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.3/8.9.3) with ESMTP id XAA00600; Thu, 9 Dec 1999 23:07:02 +0300 (MSK) Date: Thu, 9 Dec 1999 23:07:02 +0300 (MSK) From: "Ilmar S. Habibulin" To: freebsd-audit@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: question to auditors In-Reply-To: <84714733.944601517508.JavaMail.chenresig@karma> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm wondering what do you guys search in the sources. I know that there are some functions like gets(), which don't check bounds of arrays, and possible problems with setuid/setgid bits. So i have some questions like: - what is the full list of risky functions - what else could be a treat to security, integrety or functionality of some application - or where can i find full answers to my maybe stupid questions Thanx. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message