Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Oct 1999 10:01:22 -0600 (MDT)
From:      Paul Hart <hart@iserver.com>
To:        tom brown <tmcb1971@yahoo.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: General securiy of vanilla install WAS [FreeSSH]
Message-ID:  <Pine.BSF.4.10.9910180940240.50020-100000@anchovy.orem.iserver.com>
In-Reply-To: <19991017043046.5909.rocketmail@web115.yahoomail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 16 Oct 1999, tom brown wrote:

> It's a mean world out there, and FreeBSD is a good contender as
> security goes, but not straight out of the box!

I think this borders more on hyperbole.  What is it "straight out of the
box" that strikes you as so insecure?  When was the last time that a
daemon considered "part of FreeBSD" (i.e. not one of the ports) had a
remote root vulnerability?  And what about local root vulnerabilities?  
The fts-bug-and-core-dumping-follows-symbolic-links hole was the last one
in recent memory, but how would restricting what gets installed at
installation time have affected that in any way?

Just saying something like "I have X number of SUID/SGID programs
installed or Y number of daemons running from inetd on my fresh vanilla
install so I am insecure" makes it sound scary, but how many exploits do
you have for each of those?  And if you're advanced enough to be reading
this list, then you'd be advanced enough to turn off services you don't
need (which is always a good idea).

I feel that the vanilla install strikes a delicate balance between
security and usability.  Inexperienced users will have enough running to
see how FreeBSD works without undue exposure, and experienced users have
only a few things to turn off if they're worried about them.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9910180940240.50020-100000>