l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2002 Jun 12 16:00

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Who opened the floodgates?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Who opened the floodgates?



Peter Jay Salzman writes:

 > when it comes down to it, 3 things and 3 things only make a home system
 > secure:
 > 
 > 1. good passwords
 > 2. not using plaintext authentication
 > 3. being careful about CGI's.
 > 
 > if you follow these three steps and leave on a service, even a service
 > with a bad track record like nfs or pserver, i'd bet you'd still be OK
 > to guard a home system.

Sorry, Pete, but I don't think this cuts it. Think how many times
people have been compromised over Sendmail or BIND regardless of how
much attention they pay to those three points.  Therefore, I'd add a
few other points:

4. Never run anything as root, unless absolutely necessary.
5. If you must run as root, get out of root-hood as absolutely soon as
possible.
6. If as absolutely soon as possible isn't nearly immediate, or you
must run as root for some time, be in a minimal, chrooted environment.

There are many, many exploits which do not rely on bad passwords,
plaintext authentication, or crappy CGIs. Many exploits rely on
buffer-overrun opportunities springing from poorly written but
innocent-seeming code - on at least one occasion, the code turned out
to be glibc. That sort of case is very hard to guard against, so
better to be paranoid than to assume everything's okay.

In fact, most good root exploits I've heard of don't have anything to
do with password authentication.

Just my 2, of course...
Micah
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.