Re: SECURITY PROBLEM: autofs [all versions]

To: "Christopher W. Curtis" <ccurtis@aet-usa.com>
Cc: Debian Devel List <debian-devel@lists.debian.org>
Subject: Re: SECURITY PROBLEM: autofs [all versions]
From: Adam Heath <adam@doogie.org>
Date: Mon, 3 Jul 2000 14:47:53 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.21.0007031444060.854-100000@yakko.doogie.org>
In-reply-to: <[🔎] 3960DD08.1E8B1D39@aet-usa.com>

On Mon, 3 Jul 2000, Christopher W. Curtis wrote:

> > System as shipped boots from floppy.
> > System as shipped does not have password.
> 
> So your answer is that basic security is not important enough to give
> users out of the box?  Is there a 'hardening debian' guide somewhere
> that says, "By default, all Debian installations are subject to the
> following root compromises - you can fix each of these by doing a) b)
> c).  While we have the ability to fix these for you before shipping you
> an insecure OS, it's simply too much trouble to change one line in one
> file when security is the concern of the person who installs the system,
> and not the concern of the people releasing the system."
>

No, my answer is to make is usable for the majority of users, without removing
functionality.

Would you go back on the motherboard manufacture if someone got into your
machine thru a back door bios password?  I highly doubt it.

In this case, hpa is to the bios writer, as debian is to the mobo
manufacturer.

> Or is it simply a matter of, "Well, to make it hard to beak in, they
> have to do a) and b) anyways, so while they're at it, they can just go
> ahead and do f) - l) as well".

When securing a machine, you have to cover ALL bases.  NEVER assume that the
defaults are secure.  If you want a truly secure machine, you need to audit
every single piece of software, and its config files.

> I thought Debian was all about high-quality releases - if you want to
> take a microsoft style approach to security, why bother waiting for the
> software to stablize either?

It is too late in potato's cycle for this to be addressed.  If you read the
very first email I sent in this thread, you would have seen that I had no
problem adding those options.  I just won't be doing it for Debian 2.2.  Most
likely it will be 2.2r1.

----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS d- s: a-- c+++ UL++++ P+ L++++ !E W+ M o+ K- W--- !O M- !V PS--
PE++ Y+ PGP++ t* 5++ X+ tv b+ D++ G e h*! !r z?
-----END GEEK CODE BLOCK-----
----BEGIN PGP INFO----
Adam Heath <doogie@debian.org>        Finger Print | KeyID
67 01 42 93 CA 37 FB 1E    63 C9 80 1D 08 CF 84 0A | DE656B05 PGP
AD46 C888 F587 F8A3 A6DA  3261 8A2C 7DC2 8BD4 A489 | 8BD4A489 GPG
-----END PGP INFO-----

Reply to:

Follow-Ups:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: "Christopher W. Curtis" <ccurtis@aet-usa.com>

References:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: "Christopher W. Curtis" <ccurtis@aet-usa.com>

Prev by Date: Re: SECURITY PROBLEM: autofs [all versions]
Next by Date: Re: An idea.... (Was: debfind.net (was: GNOME-HELIX))
Previous by thread: Re: SECURITY PROBLEM: autofs [all versions]
Next by thread: Re: SECURITY PROBLEM: autofs [all versions]
Index(es):
- Date
- Thread