suid bit files and securing FreeBSD
Daniel Harris
dh at askdh.com
Sat Jul 26 10:55:03 PDT 2003
Matthew Graybosch wrote:
> But if you're concerned with security uber alles, I'm surprised you
> didn't look into OpenBSD first. According to their site
> (openbsd.org), they've had "only one remote hole in the default
> install, in more than 7 years!"
Caveat: the default install has almost nothing in it. This is fine if
you plan to do almost nothing, but if you install any software, you'll
be about as well off as if you were installing that software anywhere else.
> FreeBSD certainly can be secured, but it appears that the developers
> put performance and reliability first, and then security. Theo de
> Raadt puts security first.
The BSDs borrow freely from each other. OpenBSD perhaps is a little
more aggressive about cryptography in the base system, but the results
of OpenBSD audits are often used by Net and Free. Please look up from
your "BSD Executive Summary" article :-)
To claim that FreeBSD puts reliability ahead of security doesn't make
sense; a compromised system is usually not reliable. Security (and more
broadly, stability/reliability) are given a little more consideration
than performance, if you want to order them. A competent administrator
can secure any system. An incompetent administrator should become
competent (on machines unreachable from the internet) before running
anything important in publically-reachable space.
To the original poster: I take it you are running DNS and SMTP on the
FreeBSD machine? Try to avoid BIND 8; use BIND 9 or djbdns for your
DNS. Qmail and Postfix have better security records than Sendmail for
SMTP; I prefer Postfix for ease of configuration. If you're running a
BIND version, run it as user bind in a chroot (at least). I'd worry
more about your public services than about SUID bits: if there is no
shell access, nobody will be able to take advantage of SUID without
first finding a hole allowing shell access.
Subscribe to freebsd-security-notifications for, well, security
notifications. Keep your ears open for bugs in your MTA or DNS server.
With a little vigilance you have little to fear. Good luck,
--
Daniel Harris
More information about the freebsd-questions
mailing list