FreeBSD and User Security

Roland Smith rsmith at xs4all.nl
Wed Jun 11 21:47:45 UTC 2008 

On Wed, Jun 11, 2008 at 10:25:32PM +0200, David Naylor wrote:
> Hi All,
> 
> Today I read an article describing how my government had lost ZAR200 000 000 
> from fraud.  This is just under $25 000 000.  The article credited this loss 
> largely due to the use of spyware.  
> 
> My question is how secure is FreeBSD (including KDE, GNOME and XFCE) to 
> attacks, including cracking and spyware. 

That is a very broad question without a simple answer. It depends among
other things on the purpose of the machine and the knowledge of the
administrator. 

E.g, if you are creating a workstation that doesn't run externally
accessible servers you could configure the firewall to block all
incoming new connection requests. That will go a long way toward
safeguarding the machine against network attacks.

There is no way to safeguard a machine that an attacker has physical
access to; he could e.g. steal the harddisk and read your data at his
leisure (unless it is encrypted on-disk, e.g. with geli(8)). Also, no OS
can defend against social engineering attacks. 

I would not worry overly much about spyware.  Most if not all of those
are windows binaries. Also, unix mail clients as a rule do not execute
scripts embedded in mail messages.

> In addition, is there anyway to 
> prevent a user from executing a program that is not owned by root (i.e. any 
> program installed by the user), this would prevent spyware being installed 
> (assuming root has been properly locked down) and subsequently run.  

You could mount /home and other partitions where users have write access
like /tmp with the noexec option. Note that that wouldn't block the execution
of scripts, just binaries.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080611/a326622f/attachment.pgp

More information about the freebsd-questions mailing list