marc_merlin at magic.metawire.com
Thu Oct 15 12:00:16 PDT 1998
On 15 Oct 1998 10:50:39 -0700, Rafael Skodlar <raffi at kset.com> wrote:
>complain/opinion from a user. It's obvious that whoever comes out with the
>distribution that has a default PATH with the dot in the middle is nuts. I
Only for users, not for root.
I think it's a pretty good compromise.
>I installed RH 5.x on different systems and find that it fails in most
>cases if I want to install only a few selected sections of the Linux
>instead of whole thing.
Jeez, I don't know what you're doing wrong. Outside of a couple of machines
with Cyrix CPUs, I've never had an install crash.
>I understand it, OK? Not everybody has access to the latest patches.
>Besides, how many times have you downloaded 3+ MB of stuff over the modem?
You're talking about all the fixes, like Xfree. If you just get the security
fixes, it's not all that big.
>> Ah? Never seen that myself.
>Lucky you. You obviously never tried it on a 486 Gateway machine or a
I've installed it on laptops. But, I'll take your word for it, I'm sure that
some exotic hardware may not be happy with linux. However, before blaming
RH, check if slackware and/or debian install on the same machine.
>> Most security people assume that if someone has access to a machine through
>> any account, it is more or less equivalent to that person having root
>"assume" that's what's bothering! Never assume one or the other except
>that things are insecure. Don't assume that the first time user knows
Which is exactly what I was saying.
>> Not on my machine. Once again, it's because your were too lazy to select
>> what you wanted to install.
>Man you are stuborn. I did not select PCMCIA scripts on my system for
You too :-)
>example, yet it installed it on my desktop system. It's not a matter of
1) that's a mute point, PCMCIA is part of the system functionality, whether
you specific hardware supports it or not (some desktop systems do)
2) pcmcia is _not_ a deamon that provides services over the internet and can
>laziness, it's a matter of time one needs to spend to cleanup the mess.
No. Just don't install that "mess" in the first place.
>Besides, you can't remember everything at 1:00 in the morning. Regular
>user doesn't know where to find those things much less what they all mean.
And this is RH's fault?
>Ahh, good. Because Slackware has security holes by default, RH has to have
>them too. Because MS has a product that ends up in a blue screen, we need
No. Once again, you're distording the truth to your advantage.
For you, having inetd installed is a security hole, having nfs installed is
a security hole, etc, etc..
1) I don't agree with you
2) Most Unices (not just linux) are the same, or are worse.
>They assume that you need 10 (!!!) Apache daemons runing if you decide to
>run Apache. As a developer or somebody who wants to learn HTML you don't
>need more than 3. You also don't need more than 2 (maybe 4) consoles
>runing since everybody (almost) runs X-windows on workstations.
Rafael, quit whining. You're advocating your defaults when your previous
message was trying to explain that defaults are evil.
>> Security by obscurity is not security. If you believe the contrary, you are
>> severly mislead.
>Look into some commercial Unix and learn what they do. Better yet, read
I have, thank you very much.
>> >That's a secondary issue. Not everybody know that they need to disable
>> >tftp in inetd.conf! And there are very few that realy need it!
>> You don't have to, it only works in a subdirectory that's empty by default,
>> and won't let you create files
>That's safe! It's not the empty directory, it's the daemon that gets
Ok, I thought you were refering to the old "GET /etc/passwd" bug. It's been
a while since the last bug in tftp was found, but I agree with you that it
wouldn't hurt to disable it, just to be on the safe side.
>What about a regular guy or even a software developer who wants to connect
>to the Internet? Expect him to go hire you to fix BASIC security holes?
Ok. Then, disable everything to make it secure, and now I ask you:
Waht about a regular guy or even a software developer who wants to use basic
unix services that were all disabled, or so secured that they're difficult
to use? Expect him to go hire you to enable everything he needs?
Look, I'm all for securing systems by default, but I also know that the more
you do that, the more difficult it is to use the system for beginners.
Personally, I don't care much either way as long as I can do what I want
>> >Other Unix is not much better in many respects.
Ain't that convenient...
>If the distributions come configured as a standalone secure (tight) by
>default, people would take it for granted. When they want to connect
>somewhere then they would ask a person or a system what it takes to get
>the right services (daemons) runing.
You could do that, but I think you'd double the existing traffic in linux.*
It's all about tradeoffs.
I'll end here, though.
Home page: http://magic.metawire.com/~merlin/ (friendly to non IE browsers)
Finger merlin at magic.metawire.com for PGP key and other contact information
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
More information about the svlug