realpath(3) et al

Devon H. O'Dell dodell at sitetronics.com
Tue Aug 12 01:24:33 PDT 2003 

I was reading an article on Slashdot recently about Linux just getting some
sort of security certification and asked the question "What about FreeBSD?"
I got the standard BSD trolls, but my comment was actually modded up to a 3,
Interesting, I believe.

What sorts of security standards commissions are there, how much does
getting "standards certified" cost, and where should we start? 

I'm all for getting a website up to give out information on what we're
trying to do and possibly collect donations, take comments, and set up
discussions. I do have the time, resources, space and FreeBSD box ;) to set
this up.

I'd like to get started with this ASAP; any other ideas?

Kind regards,

Devon H. O'Dell
Systems and Network Engineer
Simpli, Inc. Web Hosting
http://www.simpli.biz

> -----Oorspronkelijk bericht-----
> Van: owner-freebsd-security at freebsd.org [mailto:owner-freebsd-
> security at freebsd.org] Namens fbsd at w88trigger.com
> Verzonden: Tuesday, August 12, 2003 3:32 AM
> Aan: security at freebsd.org
> Onderwerp: Re: realpath(3) et al
> 
> Organizing a review of the FreeBSD code base will be a tedious,
> yet highly valuable endeavor.  I have little spare time or
> money, but I would be willing to contribute what I can for such
> a worthy cause.  I suspect that there are many others who feel
> this way, and therefore it may be feasible for the 3rd party
> conducting the review to be made up almost entirely of
> volunteers.  I guess the big issue is how to get the process
> started.
> 
> Need person(s) to organize reviews:
> It seems like a first step should be to find someone who can
> organize audits/reviews of the code base, and organize groups of
> reviewers.  Bodies of code could then be assigned to individual
> volunteers or groups for review within some time frame.  Results
> would be collected and organized and code fixes made and
> applied.  No matter how the project is managed, I think the
> first action must be to identify some volunteers to run the code
> review project.
> 
> Just an Idea:
> Perhaps such reviews could take the form of bug-hunting contests,
> where those who discover software defects or vulnerabilities are
> awarded some form of recognition (i.e., named on FreeBSD
> website), and/or some prize or trophy.  This could actually be a
> really fun activity if presented in the right way.  Conducting
> reviews in this manner may help attract more interest and reduce
> or eliminate any need to hire a professional organization to
> perform reviews.  Of course there would have to be some rules
> like, people cannot review code they had any part in authoring.
> 
> Any way to get organized reviews done will be a great benefit to
> the FreeBSD code base.  I just want to see it happen and to help
> where I can.
> 
> --ajg
> 
> 
> On Monday 11 August 2003 14:08, Mike Hoskins wrote:
> > First, I hope that this message is not considered flame bait.
> > As someone who has used FreeBSD for for 5+ years now, I have a
> > genuine interest in the integrity of our source code.
> >
> > Second, I hope that this message is not taken as any form of
> > insult or finger pointing.  Software without bugs does not
> > exist, and I think we all know that.  Acknowledging that point
> > and working to mitigate the risks associated with it would
> > seem to be our only real option.
> >
> > That said, every time something like the recent realpath(3)
> > issue comes to light, I find myself asking why I haven't at
> > least tried to do more to review our source code or (more
> > desirable) enable 3rd-party audits.
> >
> > My question is...  If enabling a 3rd-party audit for some
> > target release (5.3+ I'd assume) is desirable, what would be
> > needed money-, time- and other-wise?  I'm willing to invest
> > both time and money to make this happen.  I'd expect such an
> > endeavor to be tedious and expensive...  and, of course, it
> > would really need to be repeated occasionally to be of real
> > value.  (Probably, at least, after major version number
> > changes.) However, perhaps doing an audit of the base system
> > now would help our image in the security community?
> >
> > All I know is, despite occasional arguments and rants, I like
> > FreeBSD. As long as it exists, I plan to have it installed...
> > So it is in my best interest to help in any way I can.  I know
> > projects like secure/trustedBSD exist, but I am really looking
> > for ways to promote the trust of the base system more than
> > specialized projects/branches.
> >
> > Thoughts?
> >
> > -mrh
> >
> > --
> > From: "Spam Catcher" <spam-catcher at adept.org>
> > To: spam-catcher at adept.org
> > Do NOT send email to the address listed above or
> > you will be added to a blacklist!
> > _______________________________________________
> > freebsd-security at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> > "freebsd-security-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-
> unsubscribe at freebsd.org"

More information about the freebsd-security mailing list