realpath(3) et al

Jacques A. Vidrine nectar at FreeBSD.org
Mon Aug 11 16:21:34 PDT 2003 

On Mon, Aug 11, 2003 at 02:08:27PM -0700, Mike Hoskins wrote:
> First, I hope that this message is not considered flame bait.  As someone
> who has used FreeBSD for for 5+ years now, I have a genuine interest in
> the integrity of our source code.
> 
> Second, I hope that this message is not taken as any form of insult or
> finger pointing.  

No worries.

> Software without bugs does not exist, and I think we all
> know that.  Acknowledging that point and working to mitigate the risks
> associated with it would seem to be our only real option.

Yes, we are all agreed here.

> That said, every time something like the recent realpath(3) issue comes
> to light, I find myself asking why I haven't at least tried to do more to
> review our source code or (more desirable) enable 3rd-party audits.

More people should ask themselves that :-)  One can talk about auditing
code, or one can do it.

Even in projects where careful auditing has been the primary focus,
things get missed.  For example, OpenBSD missed this exact same bug
and corrected it about the same time as everyone else.

> My question is...  If enabling a 3rd-party audit for some target release
> (5.3+ I'd assume) is desirable, what would be needed money-, time- and
> other-wise?  

People need to read code, that's all.  You can share your code reading
insights at freebsd-audit at freebsd.org, or if you believe it is
sensitive, with security-team at freebsd.org.

We _do_ already audit code, you know.  FreeBSD-SA-03:09.signal was a
result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's
auditing.  Also, many commits that are just `cleanup' are the result
of a kind of `auditing'.

What we perhaps lack is coordination.  This is not easy in a volunteer
environment, but perhaps something as simple as a `scoreboard' with
`these files being audited/have been audited by whatsmyname' would be
an improvement.  On the other hand, in my experience, people are quick
to volunteer and slow to follow up --- usually disappearing. :-(  Of
course, those that do follow up often become committers themselves :-)

> I'm willing to invest both time and money to make this
> happen.  I'd expect such an endeavor to be tedious and expensive...  and,
> of course, it would really need to be repeated occasionally to be of real
> value.  (Probably, at least, after major version number changes.)
> However, perhaps doing an audit of the base system now would help our
> image in the security community?

*shrug* I didn't know we had an image problem in the security
community.

Probably the single most effective way to get an audit done is to read
the code :-)

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se

More information about the freebsd-security mailing list