Procmail Vulnerabilities check

Chris H portmaster at BSDforge.com
Mon Dec 11 20:13:31 UTC 2017


On Mon, 11 Dec 2017 19:36:49 +0100 "Kurt Jaeger" <lists at opsec.eu> said

> Hi!
> 
> > if the majority of people install their systems via packages, that makes for
> > a fairly common FreeBSD base across all users.
> 
> Why would a system installed via packaged be more homogenous than
> one installed as base, and updated via freebsd-update ? I don't
> understand this -- can you elaborate ?
OK. I'll try. I'm afraid I sort of went on a Jag, and didn't really make a good
point -- if *any* point. Sorry.
But to the point, and sorry for the (additional) deviation;
If I have a user base that shares a near identical install. I am far closer
to finding/having a pattern I can work with to *exploit*, as an evil hacker.
So here's the thing; working from the history of Linux, and for that matter,
even MS products... someone discovers an exploit in FreeBSD, or some component
common to FreeBSD. I can take down a *much* greater number of users, now that
the (larger) portion of FreeBSD' user base share such a common install base --
applications(ports)/kernel et al; are pretty much all the same for *everyone*
because of the introduction of pkg(8).
Yes. But what's the difference if they made everything from ports(7)?
IMHO, and experience, users confronted with options during build time, are
*more* likely to actually *choose* options that better suite their use/needs.
But using packages is easier, and so if in the end everything just *works*.
There's little incentive to use that scary "make" thing, and have to learn
all those intimidating things associated with the ports system.
Well, FLAVORS should solve all that. Wouldn't it?
That *does* seem like a strong argument, and while I applaud all the efforts,
and those that are responsible for those efforts. The jury is still out.
FLAVORS has yet to *fully* arrive. So it's just too early to say for sure.
But I would agree that it *should*.
When I look back at all the security threats that Linux had to deal with
(even now), and how the ultimate argument was so often; use *BSD, it's a
much more secure OS by design. Which was true. Linux was/is always installed
in packages, or by what ever moniker they use for them. With that, and their
choice of kernel arrangement. They were left as easier targets than the BSD
family of operating systems. Now looking at the increasingly narrowing of
differences between the two. I can't help but think that the threat vector
gap is *also* narrowing.

> 
> > In closing, and more to the point regarding Sendmail; Sendmail has a nearly
> > impeccable security record in at the last decade. It provides a *secure*,
> > more powerful, and more flexible MX on the cheap. I see little reason to
> > consider it an attack vector. Which makes *security*, and it's related
> > maintenance a pretty poor argument, for it's removal.
> 
> The argument is: The update process for base is more complex
> than for packages, and we've come a long way to have a very
> nice pkg-system, in general. The mid-term plan is thus to package base, too.
> 
> Packaging base means sensible packages have to be defined, and
> sendmail suits a package very well.
Indeed it *does*, and *should* be a package installed *along* with $BASE.
That's my only argument there. :-)

Thanks for your thoughtful reply, Kurt!

--Chris
> 
> -- 
> pi at opsec.eu            +49 171 3101372                         3 years to go
> !




More information about the freebsd-ports mailing list