From owner-freebsd-stable  Sat Aug 21 12:55:50 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
	by hub.freebsd.org (Postfix) with ESMTP id 5D3311517A
	for <stable@FreeBSD.ORG>; Sat, 21 Aug 1999 12:55:47 -0700 (PDT)
	(envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id MAA07127;
	Sat, 21 Aug 1999 12:54:32 -0700 (PDT)
Message-ID: <19990821125432.A3942@best.com>
Date: Sat, 21 Aug 1999 12:54:32 -0700
From: "Jan B. Koum " <jkb@best.com>
To: mi@aldan.algebra.com, stable@FreeBSD.ORG
Subject: Re: setting up -STABLE for hack contest
References: <6C37EE640B78D2118D2F00A0C90FCB4401105BBB@site2s1> <199908211602.MAA06275@misha.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199908211602.MAA06275@misha.cisco.com>; from Mikhail Teterin on Sat, Aug 21, 1999 at 12:02:07PM -0400
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, Aug 21, 1999 at 12:02:07PM -0400, Mikhail Teterin <mi@aldan.algebra.com> wrote:
> Christopher Michaels once wrote:
> 
> > Take a look here.
> > http://www.freebsd.org/~jkb/howto.html
> 
> Is the "http://www.freebsd.org/~jkb/howto.html#pp" an official point of
> view?
> 
> 	Ports and Packages
> 
> 	It is best  not to use ports or packages  when building a secure
> 	system.  You don't  really  know which  ports  or packages  will
> 	install suid-root binaries  on your system - and  you don't want
> 	more then what  you have already, trust me. Even  though you can
> 	give different switches to the  pkg_add command (such as "-v" or
> 	"-n"), it is  best to download the software in  source code form
> 	and compile it yourself.
> 
> I  do  not see  how  building  the  software  manualy is  "more  secure"
> --  unless  you  study  the Makefiles  and  INSTALL/README  files.  This
> is  something you  can  do  with ports  prior  to  doing `make  install'
> anyway. Perhaps, that's what the  web-page should encourage, rather then
> dismissing the whole ports system as "insecure".
> 
> The  web-page also  has no  mention of  xinetd --  a pretty  good, IMHO,
> replacement for inetd.
> 
> 	-mi
> 


	inetd has no business running on a secure system. at the place
where I work we either

a) don't run inetd at all
b) inetd.conf contains only one line for 'sshd -i' in it

	but on topic of port and packages: they are great. for a desktop -
but not when you are building a secure server. I seen many times people
install *everything* possible on the machine first and then going back and
locking things down. that is wrong. you should install very minimum to
begin with. I should probably be more clear in the above statement, but
the fact that ports/packages install some stuff suid when it doesn't need
to is still true (such as ssh - but not sure if that is true though).


-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message