From owner-cvs-all Fri Aug 11 11:41:56 2000 Delivered-To: cvs-all@freebsd.org Received: from lion-around.at.yiff.net (lion-around.at.yiff.net [209.54.21.199]) by hub.freebsd.org (Postfix) with ESMTP id 64B3937B809; Fri, 11 Aug 2000 11:41:47 -0700 (PDT) (envelope-from chris@netmonger.net) Received: (from chris@localhost) by lion-around.at.yiff.net (8.9.3/8.9.3) id OAA35747; Fri, 11 Aug 2000 14:41:48 -0400 (EDT) (envelope-from chris@netmonger.net) X-Authentication-Warning: lion-around.at.yiff.net: chris set sender to chris@netmonger.net using -f Date: Fri, 11 Aug 2000 14:41:48 -0400 From: Christopher Masto To: "Chris D. Faulhaber" Cc: Warner Losh , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <20000811144136.A12290@netmonger.net> References: <20000811141800.A14610@netmonger.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from jedgar@fxp.org on Fri, Aug 11, 2000 at 02:29:37PM -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Aug 11, 2000 at 02:29:37PM -0400, Chris D. Faulhaber wrote: > > > Don't build suidperl by default. Make users specifically enable its > > > building. > > > > Umm.. isn't that a bit of a radical change? Any reason for it? > > Any reason against it? Given the security hole found under Linux and > potential problems of Yet Another Suid Binary, it seems a good > idea. Also, see the recent discussions on FreeBSD-security. The reason against it is that it's a standard part of Perl, and a very useful one. Without it, those who install from binary, or don't know to set this option, will not be able to run setuid Perl programs. Since Perl has some features specifically designed to aid in writing secure setuid programs, removing suidperl could actually cause a revenge effect and end up resulting in _more_ security holes. This was a strange interaction bug in a program which is very well inspected, has a good security reputation, was fixed very quickly, and didn't even apply to FreeBSD. It seems a big of an overreaction to disable suidperl because of it. As Warner said on freebsd-security, if you're paranoid, you can just delete suidperl yourself. If this change is not backed out, I think it is important to at least come up with an easy way to get suidperl without building from source. We should not force this limitation on casual users. -- Christopher Masto Senior Network Monkey NetMonger Communications chris@netmonger.net info@netmonger.net http://www.netmonger.net Free yourself, free your machine, free the daemon -- http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message