Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Aug 1999 12:54:32 -0700
From:      "Jan B. Koum " <jkb@best.com>
To:        mi@aldan.algebra.com, stable@FreeBSD.ORG
Subject:   Re: setting up -STABLE for hack contest
Message-ID:  <19990821125432.A3942@best.com>
In-Reply-To: <199908211602.MAA06275@misha.cisco.com>; from Mikhail Teterin on Sat, Aug 21, 1999 at 12:02:07PM -0400
References:  <6C37EE640B78D2118D2F00A0C90FCB4401105BBB@site2s1> <199908211602.MAA06275@misha.cisco.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 21, 1999 at 12:02:07PM -0400, Mikhail Teterin <mi@aldan.algebra.com> wrote:
> Christopher Michaels once wrote:
> 
> > Take a look here.
> > http://www.freebsd.org/~jkb/howto.html
> 
> Is the "http://www.freebsd.org/~jkb/howto.html#pp" an official point of
> view?
> 
> 	Ports and Packages
> 
> 	It is best  not to use ports or packages  when building a secure
> 	system.  You don't  really  know which  ports  or packages  will
> 	install suid-root binaries  on your system - and  you don't want
> 	more then what  you have already, trust me. Even  though you can
> 	give different switches to the  pkg_add command (such as "-v" or
> 	"-n"), it is  best to download the software in  source code form
> 	and compile it yourself.
> 
> I  do  not see  how  building  the  software  manualy is  "more  secure"
> --  unless  you  study  the Makefiles  and  INSTALL/README  files.  This
> is  something you  can  do  with ports  prior  to  doing `make  install'
> anyway. Perhaps, that's what the  web-page should encourage, rather then
> dismissing the whole ports system as "insecure".
> 
> The  web-page also  has no  mention of  xinetd --  a pretty  good, IMHO,
> replacement for inetd.
> 
> 	-mi
> 


	inetd has no business running on a secure system. at the place
where I work we either

a) don't run inetd at all
b) inetd.conf contains only one line for 'sshd -i' in it

	but on topic of port and packages: they are great. for a desktop -
but not when you are building a secure server. I seen many times people
install *everything* possible on the machine first and then going back and
locking things down. that is wrong. you should install very minimum to
begin with. I should probably be more clear in the above statement, but
the fact that ports/packages install some stuff suid when it doesn't need
to is still true (such as ssh - but not sure if that is true though).


-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990821125432.A3942>