*BSD News Article 94025


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!arclight.uoregon.edu!newsfeed.direct.ca!nntp.portal.ca!cynic.portal.ca!not-for-mail
From: cjs@cynic.portal.ca (Curt Sampson)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Followup-To: alt.flame
Date: 20 Apr 1997 22:34:01 -0700
Organization: Internet Portal Services, Inc.
Lines: 45
Message-ID: <5jeu89$gdj@cynic.portal.ca>
References: <3356E1CC.299E@softway.com.au> <DERAADT.97Apr20113509@zeus.pacifier.com> <5jeb2b$ata@cynic.portal.ca> <DERAADT.97Apr20195500@zeus.pacifier.com>
NNTP-Posting-Host: cynic.portal.ca
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6693 comp.unix.bsd.misc:3030 comp.security.unix:33783


In article <DERAADT.97Apr20195500@zeus.pacifier.com>,
Theo de Raadt <deraadt@theos.com> wrote:
>In article <5jeb2b$ata@cynic.portal.ca> cjs@cynic.portal.ca (Curt Sampson) writes:
>
>   >   As has OpenBSD. Although I notice your FTP server still has no way
>   >   of doing anonymous uploads that are secure from abuse by warez-traders.
>
>   I am not pointing this out to get into a spitting match; I'm pointing
>   this out to show that you too have holes that are not closed, Theo.
>
>Please describe a hole that can be fixed in _software_.  Putting a
>writeable directory in your anonftp directory is a system admin error.

In other words, OpenBSD doesn't have a problem because it doesn't
support anonymous users uploading files. `It's not a security hole;
just don't use that feature.' That's one way to close them I suppose.

>By the way Curt -- what is your solution?  I see no fix for this in
>the NetBSD ftpd.

So the one who wants me to read his source to find the security
problems can't do the same himself, hmm?

>   >And the source routing controls in the kernel appear
>   >completely insufficient compared to the threat.
>
>   A typical insinuation. What exactly does the OpenBSD kernel do with
>   source routed packets that the NetBSD kernel doesn't, Theo?
>
>It drops them dead, and it bitches too.  Always.  It won't forward
>them and it won't accept them.

The NetBSD kernel does the exact same thing if you set the appropriate
sysctl variables, just like OpenBSD. In other words, when you say
that OpenBSD has bugfixes and security patches that other systems
don't, you're just mouthing off without a clue what you're talking
about.

I think that pretty much puts an end to this dicussion.

cjs
-- 
Curt Sampson    cjs@portal.ca	   Info at http://www.portal.ca/
Internet Portal Services, Inc.	   Through infinite myst, software reverberates
Vancouver, BC  (604) 257-9400	   In code possess'd of invisible folly.