200 messages in org.freebsd.freebsd-securityRe: security hole in FreeBSD| From | Sent On | Attachments |
|---|---|---|
| 92 earlier messages | ||
| Brian Buchanan | Jul 28, 1997 6:24 pm | |
| Matthew N. Dodd | Jul 28, 1997 6:41 pm | |
| Robert Watson | Jul 28, 1997 6:59 pm | |
| Robert Watson | Jul 28, 1997 7:00 pm | |
| Vincent Poy | Jul 28, 1997 7:01 pm | |
| Vincent Poy | Jul 28, 1997 7:04 pm | |
| Matthew N. Dodd | Jul 28, 1997 7:19 pm | |
| John Preisler | Jul 28, 1997 7:31 pm | |
| Brian Buchanan | Jul 28, 1997 7:52 pm | |
| John Dowdal | Jul 28, 1997 8:29 pm | |
| Annelise Anderson | Jul 28, 1997 8:41 pm | |
| Nate Williams | Jul 28, 1997 9:09 pm | |
| Vincent Poy | Jul 28, 1997 9:12 pm | |
| Vincent Poy | Jul 28, 1997 9:15 pm | |
| Vincent Poy | Jul 28, 1997 9:19 pm | |
| Heikki Suonsivu | Jul 28, 1997 9:33 pm | |
| Jan Koum | Jul 28, 1997 9:39 pm | |
| Vincent Poy | Jul 28, 1997 9:49 pm | |
| Jordan K. Hubbard | Jul 28, 1997 10:05 pm | |
| Vincent Poy | Jul 28, 1997 10:14 pm | |
| Gary Palmer | Jul 28, 1997 10:27 pm | |
| Gary Palmer | Jul 28, 1997 10:28 pm | |
| Vincent Poy | Jul 28, 1997 10:35 pm | |
| Vincent Poy | Jul 28, 1997 10:37 pm | |
| John-David Childs | Jul 28, 1997 10:38 pm | |
| Gary Palmer | Jul 28, 1997 10:40 pm | |
| Vincent Poy | Jul 28, 1997 10:44 pm | |
| Gary Palmer | Jul 28, 1997 10:50 pm | |
| Vincent Poy | Jul 28, 1997 10:55 pm | |
| Jordan K. Hubbard | Jul 28, 1997 10:59 pm | |
| Vincent Poy | Jul 28, 1997 11:01 pm | |
| Jordan K. Hubbard | Jul 28, 1997 11:07 pm | |
| Jordan K. Hubbard | Jul 28, 1997 11:11 pm | |
| Jordan K. Hubbard | Jul 28, 1997 11:16 pm | |
| Sergei S. Laskavy | Jul 29, 1997 12:13 am | |
| John-David Childs | Jul 29, 1997 2:09 am | |
| Narvi | Jul 29, 1997 2:48 am | |
| Stephen D. Spencer | Jul 29, 1997 3:43 am | |
| Robert Watson | Jul 29, 1997 5:32 am | |
| Adam Shostack | Jul 29, 1997 5:49 am | |
| Robert Watson | Jul 29, 1997 6:39 am | |
| Nate Williams | Jul 29, 1997 7:19 am | |
| Rodney W. Grimes | Jul 29, 1997 8:58 am | |
| Warner Losh | Jul 29, 1997 9:25 am | |
| Warner Losh | Jul 29, 1997 9:34 am | |
| Christopher Petrilli | Jul 29, 1997 9:52 am | |
| Jim Shankland | Jul 29, 1997 9:57 am | |
| John Dowdal | Jul 29, 1997 10:50 am | |
| Poul-Henning Kamp | Jul 29, 1997 12:05 pm | |
| Bill Pechter | Jul 29, 1997 12:29 pm | |
| Matthew Hunt | Jul 29, 1997 12:37 pm | |
| Christopher Petrilli | Jul 29, 1997 12:43 pm | |
| [Mario1-] | Jul 29, 1997 1:07 pm | |
| Garrett Wollman | Jul 29, 1997 1:07 pm | |
| [Mario1-] | Jul 29, 1997 1:14 pm | |
| sth...@nethelp.no | Jul 29, 1997 1:39 pm | |
| Jordan K. Hubbard | Jul 29, 1997 2:23 pm | |
| Vincent Poy | Jul 29, 1997 2:45 pm | |
| Vincent Poy | Jul 29, 1997 2:57 pm | |
| Vincent Poy | Jul 29, 1997 3:02 pm | |
| sth...@nethelp.no | Jul 29, 1997 3:30 pm | |
| Rocco Lucia | Jul 29, 1997 3:33 pm | |
| Vincent Poy | Jul 29, 1997 3:44 pm | |
| Aaron Bornstein | Jul 29, 1997 3:44 pm | |
| Vincent Poy | Jul 29, 1997 3:54 pm | |
| Vincent Poy | Jul 29, 1997 4:00 pm | |
| Jay D. Nelson | Jul 29, 1997 5:29 pm | |
| Adam Shostack | Jul 29, 1997 6:06 pm | |
| Gary Schrock | Jul 29, 1997 6:10 pm | |
| Adam Shostack | Jul 29, 1997 6:11 pm | |
| Michael Smith | Jul 29, 1997 6:54 pm | |
| Jay D. Nelson | Jul 29, 1997 7:58 pm | |
| Jay D. Nelson | Jul 29, 1997 8:10 pm | |
| Michael Smith | Jul 29, 1997 8:25 pm | |
| Marco Molteni | Jul 30, 1997 5:04 am | |
| James Seng | Jul 30, 1997 5:31 am | |
| Alex G. Bulushev | Jul 30, 1997 5:59 am | |
| Vincent Poy | Jul 30, 1997 6:45 am | |
| Robert Watson | Jul 30, 1997 7:03 am | |
| Nate Williams | Jul 30, 1997 7:48 am | |
| Vincent Poy | Jul 30, 1997 7:54 am | |
| Nate Williams | Jul 30, 1997 8:06 am | |
| Nate Williams | Jul 30, 1997 8:13 am | |
| Vincent Poy | Jul 30, 1997 8:28 am | |
| Vincent Poy | Jul 30, 1997 8:33 am | |
| zoonie | Jul 30, 1997 9:09 am | |
| Poul-Henning Kamp | Jul 30, 1997 9:25 am | |
| Poul-Henning Kamp | Jul 30, 1997 9:31 am | |
| John-David Childs | Jul 30, 1997 10:17 am | |
| Ian Kallen | Jul 30, 1997 10:37 am | |
| Patrick Gilbert | Jul 30, 1997 11:43 am | |
| Jay D. Nelson | Jul 30, 1997 1:52 pm | |
| [Mario1-] | Jul 30, 1997 2:06 pm | |
| Jordan K. Hubbard | Jul 30, 1997 3:53 pm | |
| Jordan K. Hubbard | Jul 30, 1997 4:04 pm | |
| yossman | Jul 30, 1997 4:20 pm | |
| Jordan K. Hubbard | Jul 30, 1997 4:24 pm | |
| Peter Korsten | Jul 30, 1997 4:43 pm | |
| Michael Smith | Jul 30, 1997 8:01 pm | |
| Cy Schubert | Jul 30, 1997 9:10 pm | |
| 8 later messages | ||
| Subject: | Re: security hole in FreeBSD | |
|---|---|---|
| From: | Bill Pechter (pech...@lakewood.com) | |
| Date: | Jul 29, 1997 12:29:49 pm | |
| List: | org.freebsd.freebsd-security | |
FreeBSD'ers
Adam and I have been debating this one offline a bit.
I brought this one back to freebsd-security to see if I'm the only one that has a problem with removing suid from uucp or removing uucp from the base distribution --
I'll avoid continuing this if others here think I should drop this one. I don't want to suck bandwidth if there's not a serious effort to change the way FreeBSD ships.
It may be I'm just having a bad day -- but I think:
The day FreeBSD stops including stuff like UUCP in the base system is the day I find another (NetBSD/OpenBSD/Linux) OS.
I like the fact it is ALL of Unix. Put a package together that will shut down the SUID stuff -- keep this out of the standard distribution.
Most linux admins have never seen Cops/Tripwire/TCP Wrappers. If you're allowing others to connect to your machine you need to determine the amount of risk you are willing to allow and work to decide how to protect yourself. Inherent with connectivity is risk. Inherent with protection is knowing that NO machine is automatically secure out of the box.
I worked with a number of commercial Unix systems running C2 and B2 security and they all came in an unsecure manner and you turned on the audit and security features used to bring them to a more secure level.
If you want to connect to the internet then YOU need to firewall/harden the security of the system. If you're running it as an IN-HOUSE machine you may not care about maximizing security. It's a base-level functionality vs. security debate.
From: Adam Shostack <ad...@homeport.org> | > | > I don't deny there are people doing it, but anyone who wants | > to run UUCP knows enough to turn it on. Most people don't use it; | > there exists a potential of a security hole, it should ship turned | > off, possibly with a script to turn it on. | > | > Want to take a stab at how many Freebsd users know what HDB | > stands for? How it differs from Taylor? Heck, how many know what | > uucp stands for? | > | > Adam | | Bill Pechter wrote: | Everyone I taught Unix admin knows all of that. Anyone doing Unix admin | should know that.
From: Adam Shostack <ad...@homeport.org>
Should, but do they? This guy with the problem sure doesn't. Most linux admins don't, if you read the cert summaries. We need to improve the baseline. You and I, and anyone else who wants to run UUCP can turn it on.
Bill
------------------------------------------------------------------------------ Bill Pechter | 17 Meredith Drive Tinton Falls, NJ 07724 | 908-389-3592 pech...@lakewood.com | Save computing history, give an old geek old hardware. This msg brought to you by the letters PDP and the number 11.