Date: Sat, 21 Aug 1999 12:54:32 -0700 From: "Jan B. Koum " <jkb@best.com> To: mi@aldan.algebra.com, stable@FreeBSD.ORG Subject: Re: setting up -STABLE for hack contest Message-ID: <19990821125432.A3942@best.com> In-Reply-To: <199908211602.MAA06275@misha.cisco.com>; from Mikhail Teterin on Sat, Aug 21, 1999 at 12:02:07PM -0400 References: <6C37EE640B78D2118D2F00A0C90FCB4401105BBB@site2s1> <199908211602.MAA06275@misha.cisco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 21, 1999 at 12:02:07PM -0400, Mikhail Teterin <mi@aldan.algebra.com> wrote: > Christopher Michaels once wrote: > > > Take a look here. > > http://www.freebsd.org/~jkb/howto.html > > Is the "http://www.freebsd.org/~jkb/howto.html#pp" an official point of > view? > > Ports and Packages > > It is best not to use ports or packages when building a secure > system. You don't really know which ports or packages will > install suid-root binaries on your system - and you don't want > more then what you have already, trust me. Even though you can > give different switches to the pkg_add command (such as "-v" or > "-n"), it is best to download the software in source code form > and compile it yourself. > > I do not see how building the software manualy is "more secure" > -- unless you study the Makefiles and INSTALL/README files. This > is something you can do with ports prior to doing `make install' > anyway. Perhaps, that's what the web-page should encourage, rather then > dismissing the whole ports system as "insecure". > > The web-page also has no mention of xinetd -- a pretty good, IMHO, > replacement for inetd. > > -mi > inetd has no business running on a secure system. at the place where I work we either a) don't run inetd at all b) inetd.conf contains only one line for 'sshd -i' in it but on topic of port and packages: they are great. for a desktop - but not when you are building a secure server. I seen many times people install *everything* possible on the machine first and then going back and locking things down. that is wrong. you should install very minimum to begin with. I should probably be more clear in the above statement, but the fact that ports/packages install some stuff suid when it doesn't need to is still true (such as ssh - but not sure if that is true though). -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990821125432.A3942>