Re: ports security (was: fetch extension - use local filename from content-disposition header)

On Pén, December 30, 2005 11:20 am, Simon L. Nielsen wrote:
> I don't remember seeing it discussed. Fetching as a non-privileged
> user seems like a really good idea to me. Building as non-root would
> be nice, but doesn't really buy you much security wise

I would be interested to hear why you think this. (I am aware of the
problems at install stage)

> (and will
> possibly break at least some programs that makes silly assumptions
> about build as root).

Yes, although we do not know how many programs are affected by this in
reality. Eg Gentoo, AFAIK does not build as root.

> Note that both of these features are somewhat paranoid security
> features, and the risk of getting compromised by either is much
> smaller than getting compromised by some other much more simple
> vulnerability.

I think that running fetch as root is really an unnecessary risk to the
system for the same reason as running a web browser or reading mail as
root is. For some, this risk is bearable. But it is not security best
practice by any stretch.

Regards
Sz.

------------------------------------------------------------------------
Telcsi.hu - A legújabb csengőhangok menő slágerekkel >>>
Polifónikus és normál csengőhangok >>> Animált és normál háttérképek >>>
MP3 effektek >>> http://www.telcsi.hu/index.php?prefix=VM


_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: Linux hacked
    ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: [security bulletin] HPSBTU02211 SSRT071326 rev.1 - HP Tru64 UNIX Running the dop command, Lo
    ... HP Software Security Response Team ... UNIX Operating System running the dop command. ... privileges of the root user. ... echo "HP Security bulletin code identification: ...
    (Bugtraq)
  • [UNIX] Security Vulnerabilities in OSF1/Tru64 3.x
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... locally exploitable buffer overflow which allows an attacker to gain root ... The executable is installed setuid root ... September 18, 2002 - Public Disclosure ...
    (Securiteam)