suid bit files and securing FreeBSD

Daniel Harris dh at askdh.com
Sat Jul 26 10:55:03 PDT 2003 

Matthew Graybosch wrote:
> But if you're concerned with security uber alles, I'm surprised you 
> didn't look into OpenBSD first. According to their site 
> (openbsd.org), they've had "only one remote hole in the default 
> install, in more than 7 years!"

Caveat: the default install has almost nothing in it.  This is fine if 
you plan to do almost nothing, but if you install any software, you'll 
be about as well off as if you were installing that software anywhere else.

> FreeBSD certainly can be secured, but it appears that the developers 
> put performance and reliability first, and then security. Theo de 
> Raadt puts security first.

The BSDs borrow freely from each other.  OpenBSD perhaps is a little 
more aggressive about cryptography in the base system, but the results 
of OpenBSD audits are often used by Net and Free.  Please look up from 
your "BSD Executive Summary" article :-)

To claim that FreeBSD puts reliability ahead of security doesn't make 
sense; a compromised system is usually not reliable.  Security (and more 
broadly, stability/reliability) are given a little more consideration 
than performance, if you want to order them.  A competent administrator 
can secure any system.  An incompetent administrator should become 
competent (on machines unreachable from the internet) before running 
anything important in publically-reachable space.

To the original poster: I take it you are running DNS and SMTP on the 
FreeBSD machine?  Try to avoid BIND 8; use BIND 9 or djbdns for your 
DNS.  Qmail and Postfix have better security records than Sendmail for 
SMTP; I prefer Postfix for ease of configuration.  If you're running a 
BIND version, run it as user bind in a chroot (at least).  I'd worry 
more about your public services than about SUID bits: if there is no 
shell access, nobody will be able to take advantage of SUID without 
first finding a hole allowing shell access.

Subscribe to freebsd-security-notifications for, well, security 
notifications.  Keep your ears open for bugs in your MTA or DNS server. 
  With a little vigilance you have little to fear.  Good luck,

-- 
Daniel Harris

More information about the freebsd-questions mailing list