Date: Sat, 13 Jun 2015 15:40:43 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: Carmel NY <carmel_ny@outlook.com> Cc: FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <557C32DB.8030001@sorbs.net> In-Reply-To: <BLU436-SMTP60FD9F63B6E4C00EFF6BD880BA0@phx.gbl> References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> <20150613113644.GA1259@xtaz.uk> <BLU436-SMTP117F30000C7F3A01C51964280BA0@phx.gbl> <557C2684.90302@sorbs.net> <BLU436-SMTP60FD9F63B6E4C00EFF6BD880BA0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Carmel NY wrote:
> On Sat, 13 Jun 2015 14:48:04 +0200, Michelle Sullivan stated:
>
>
>> Carmel NY wrote:
>>
>>> On Sat, 13 Jun 2015 12:36:44 +0100, Matt Smith stated:
>>>
>>>
>>>> The other alternatives are as you say, put /usr/local/bin before
>>>> /usr/bin in the $PATH. Or add an alias for commands like ssh to point to
>>>> the ports version. These methods aren't quite as clean though.
>>>>
>>>>
>>> Swapping the PATH can, in a few instances, really mess up attempting to
>>> build a port. I finally gave up and used the "alias" idea for openssl. It
>>> appears to work Okay.
>>>
>>>
> >From a security aspect...
>
>> Do all your users alias? (assumption: its more than just you on the system)
>> Do you check the alias is set everytime you login to a session?
>> If you change to another shell for any reason is the alias persistent?
>> (eg as root (defaults to csh) some times I have to do: sh -c 'for a in x
>> y z ; do ( cd ${a} && rsync -e ssh remote.server:/path ) ; done' ) - and
>> do other users know that this would be wrong?
>>
>> See the point I mean?
>>
>> For the security conscious one would know to use the full path of ssh,
>> most do not do this... a large percentage have no idea that they would
>> even need to let alone remember.
>>
>> Regards,
>>
>> Michelle
>>
>> PS: There is a workaround for ssh clients in /etc/ssh/ssh_config to stop
>> it falling back to "insecure" protocols - though every freebsd-update
>> attempts to change this file back to the default... fortunately I have
>> puppet to reset the file in the event of me missing the update/reset.
>>
>
> alias openssl='/usr/local/bin/openssl'
>
> I use bash as my shell. I have this set in the ~/.bashrc file:
>
> if [ -f ~/.bash_aliases ]; then
> . ~/.bash_aliases
> else
> ##
> fi
>
> The ~/.bashrc file contains all of my predefined aliases.
>
> $ openssl version
> OpenSSL 1.0.2c 12 Jun 2015
>
> # openssl version
> OpenSSL 1.0.2c 12 Jun 2015
>
> $ sudo openssl version
> OpenSSL 1.0.1l-freebsd 15 Jan 2015
>
> I probably should find a way to fix the "sudo" command; however, since I
> rarely use it, I don't know if I will bother.
>
> For all pratical purposes, I am the only system user.
>
>
You just illustrated my point in the best possible way. Thank you.
Michelle
--
Michelle Sullivan
http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557C32DB.8030001>