[svlug] security

Marc MERLIN marc_merlin at magic.metawire.com
Thu Oct 15 12:00:16 PDT 1998
Previous message: [svlug] security
Next message: [svlug] security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 15 Oct 1998 10:50:39 -0700, Rafael Skodlar <raffi at kset.com> wrote:
>complain/opinion from a user. It's obvious that whoever comes out with the
>distribution that has a default PATH with the dot in the middle is nuts. I

Only for users, not for root.
I think it's a pretty good compromise.

>I installed RH 5.x on different systems and find that it fails in most
>cases if I want to install only a few selected sections of the Linux
>instead of whole thing.

Jeez, I don't know what you're doing wrong. Outside of a couple of machines
with Cyrix CPUs, I've never had an install crash.

>I understand it, OK? Not everybody has access to the latest patches.
>Besides, how many times have you downloaded 3+ MB of stuff over the modem?

You're talking about all the fixes, like Xfree. If you just get the security
fixes, it's not all that big.

>> Ah? Never seen that myself.
>
>Lucky you. You obviously never tried it on a 486 Gateway machine or a
>laptop.

I've installed it on laptops. But, I'll take your word for it, I'm sure that
some exotic hardware may not be happy with linux. However, before blaming
RH, check if slackware and/or debian install on the same machine.

>> Most security people assume that if  someone has access to a machine through
>> any  account, it  is more  or  less equivalent  to that  person having  root
>> access.
>
>"assume" that's what's bothering! Never assume one or the other except
>that things are insecure. Don't assume that the first time user knows

Which is exactly what I was saying.

>> Not on my machine. Once again, it's because your were too lazy to select
>> what you wanted to install.
>
>Man you are stuborn. I did not select PCMCIA scripts on my system for

You too :-)

>example, yet it installed it on my desktop system. It's not a matter of

1) that's a mute point, PCMCIA is part of the system functionality, whether
   you specific hardware supports it or not (some desktop systems do)
2) pcmcia is _not_ a deamon that provides services over the internet and can
   be exploited.

>laziness, it's a matter of time one needs to spend to cleanup the mess. 

No. Just don't install that "mess" in the first place.

>Besides, you can't remember everything at 1:00 in the morning. Regular
>user doesn't know where to find those things much less what they all mean.

And this is RH's fault?

>Ahh, good. Because Slackware has security holes by default, RH has to have
>them too. Because MS has a product that ends up in a blue screen, we need

No. Once again, you're distording the truth to your advantage.
For you, having inetd installed is a security hole, having nfs installed is
a security hole, etc, etc..
1) I don't agree with you
2) Most Unices (not just linux) are the same, or are worse.

>They assume that you need 10 (!!!) Apache daemons runing if you decide to
>run Apache. As a developer or somebody who wants to learn HTML you don't
>need more than 3. You also don't need more than 2 (maybe 4) consoles
>runing since everybody (almost) runs X-windows on workstations.

Rafael,  quit whining. You're  advocating your  defaults when  your previous
message was trying to explain that defaults are evil.

>> Security by obscurity is not security. If you believe the contrary, you are
>> severly mislead.
>
>Look into some commercial Unix and learn what they do. Better yet, read

I have, thank you very much.

>> >That's a secondary issue. Not everybody know that they need to disable
>> >tftp in inetd.conf! And there are very few that realy need it!
>> 
>> You don't have to, it only works  in a subdirectory that's empty by default,
>> and won't let you create files
>
>That's safe! It's not the empty directory, it's the daemon that gets
>exploited.

Ok, I thought you were refering  to the old "GET /etc/passwd" bug. It's been
a while since the  last bug in tftp was found, but I  agree with you that it
wouldn't hurt to disable it, just to be on the safe side.

>What about a regular guy or even a software developer who wants to connect
>to the Internet? Expect him to go hire you to fix BASIC security holes?

Ok. Then, disable everything to make it secure, and now I ask you:
Waht about a regular guy or even a software developer who wants to use basic
unix services that  were all disabled, or so secured  that they're difficult
to use? Expect him to go hire you to enable everything he needs?

Look, I'm all for securing systems by default, but I also know that the more
you do  that, the  more difficult  it is  to use  the system  for beginners.
Personally, I  don't care much either  way as long as  I can do what  I want
later.

>> >Other Unix is not much better in many respects.
>> 
>> Names?
>
>Next time.

Ain't that convenient...

>If the distributions come configured as a standalone secure (tight) by
>default, people would take it for granted. When they want to connect
>somewhere then they would ask a person or a system what it takes to get
>the right services (daemons) runing.

You could do that, but I think you'd double the existing traffic in linux.*

It's all about tradeoffs.

I'll end here, though.

Marc
-- 
Home page: http://magic.metawire.com/~merlin/ (friendly to non IE browsers)
Finger merlin at magic.metawire.com for PGP key and other contact information

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
Previous message: [svlug] security
Next message: [svlug] security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the svlug mailing list