From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 15:50:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E0CD16A57D; Fri, 24 Sep 2004 15:50:10 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 545CD43D3F; Fri, 24 Sep 2004 15:50:09 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I4J00A01YGQ4U@asu.edu>; Fri, 24 Sep 2004 08:46:02 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I4J0095VYGQVI@asu.edu>; Fri, 24 Sep 2004 08:46:02 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFk071011294; Fri, 24 Sep 2004 08:46:00 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id 682C6E34; Fri, 24 Sep 2004 08:45:54 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id fAN99e020227 for ; Fri, 23 Nov 2001 02:09:40 -0700 (MST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) david.bear@asu.edu) ; Fri, 23 Nov 2001 02:09:39 -0700 (MST) Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GN800L5GXG3H7@asu.edu> for iddwb@IMAP1.ASU.EDU (ORCPT david.bear@asu.edu); Fri, 23 Nov 2001 02:09:39 -0700 (MST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id C0347559A3; Fri, 23 Nov 2001 01:09:32 -0800 Received: by hub.freebsd.org (Postfix, from userid 538) id E75CA37B419; Fri, 23 Nov 2001 01:09:23 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id D2E812E81EA; Fri, 23 Nov 2001 01:09:21 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Fri, 23 Nov 2001 01:09:21 -0800 Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id B963C37B418; Fri, 23 Nov 2001 01:09:16 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2F13A66B74; Fri, 23 Nov 2001 01:09:16 -0800 (PST) From: Kris Kennaway In-reply-to: <"from anthony"@freebie.atkielski.com> Sender: owner-freebsd-security@FreeBSD.ORG To: dwbear75@gmail.com Message-id: <20011123010915.A35695@xor.obsecurity.org> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary=45Z9DzgjV8m4Oswq Content-disposition: inline Precedence: bulk X-Loop: FreeBSD.org Delivered-to: freebsd-security@freebsd.org Old-To: Anthony Atkielski User-Agent: Mutt/1.2.5i Lines: 48 References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> X-Keywords: cc: freebsd-security@FreeBSD.ORG cc: "Gary W. Swearingen" cc: FreeBSD Questions Subject: Re: setuid on nethack? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 24 Sep 2004 15:50:10 -0000 X-Original-Date: Fri, 23 Nov 2001 01:09:15 -0800 X-List-Received-Date: Fri, 24 Sep 2004 15:50:10 -0000 --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 22, 2001 at 10:07:42PM +0100, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm not > installing this at a bank. If you're going to run software written by Joe Random Coder, there's always an element of risk. There's nothing about the FreeBSD ports collection which increases this risk, and in fact it makes the situation slightly safer since we check all "spontaneous" changes in the md5 checksum of a distfile where the distfile changes with no change in the software version (e.g. once a few years ago someone broke into the main ftp server for the tcp_wrappers package, and added backdoor code to it. The compromised software could not be installed from the FreeBSD port unless you manually issued an override of the checksum). We have also found several isolated instances where software authors had 'spyware' code which reports details back to the author; these ports were summarily removed from the ports collection, again making things safer for the end user. Thirdly, since you have the source code you are free to examine it for yourself and evaluate your level of risk according to whichever criteria you choose. Kris --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/hI7Wry0BWjoQKURAthmAKDPgmZbU97GfKlPUnWaYMK1l0jwDQCeJKcn 5DBNwgzvQb/aBI0aYZS09h4= =QuWq -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message