Re: Security of Debian SuX0r?
Hi,
I don't like crossposting to mailinglists, so i post this to debian-devel,
as well as a Cc to the original author.
Quoting Juhapekka Tolvanen (juhtolv@st.jyu.fi):
> Have you guys and girls seen this? What do you think about it?
>
> http://www.securityportal.com/closet/
>
> Before you flame me, please read the entire article. I realize there are a
> lot of nice things about Debian, but I've also found a lot of problems.
> The odd thing is that Debian seems to have gotten the niggly little
> details right, but there are major issues they haven't addressed."
The main thing i thought (after reading the article) was that you're mostly
right, as far as i know.
The package-signing thing has been bothering me as well.
But.
Your example of rpm's package-signature checking gives an example of a
better idea, but i don't want to think about what happens when the vendor
key is compromised.
If somebody has the key the rpm's are signed with, he/she can create a very
real false sense of security ('the signature's right, so the package is 100%
certain correct and secure, as well'), by applying the signature to
altered/compromised packages.
The lilo-security thing seems a little farfetched to me as well. I didn't
see a comparison with other distributions, and as far as i know, there are
no other distributions that enforce a lilo-password.
Did you check the packages of wich you mentioned there was a security hole
in them (proftpd, apache) ?
A lot of debian packages (and these as well, afaik), are patched to fix
those holes.
Apart from that, Debian offers (fast) updates to vulnerable packages, in the
form of a security.debian.org apt-rule, where fixed/patched versions are
available.
>From your article:
>This portion could be rather long, so I'll cut the list short. Debian has
>shipped more than a few daemons that have severe security problems, many
>of which were fixed well before Debian 2.2 was released. I find this
>unacceptable, especially in the light that Debian has not released any
>updates for these packages!
I wonder if you actually checked all these 'more than a few daemons'. By my
knowledge there are no publicly known vulnerabilities in Debian.
Some comments on your summary:
>Debian's goal of a bug free-release hasn't been met. But to be fair, it's
>not like any software vendor will ever release bug-free software.
>Debian has done a particularly bad job in my opinion, shipping out-of-date
>software and especially publicly available network daemons that have root
>hacks in them.
There is no such thing as a bug-free release.
Debian has done a pretty good job in keeping their releases (including the
latest one) secure.
There is no software shipped in the last Debian distribution with the
publicly known root hacks you're talking about.
>If you do go with Debian, you'll have a lot of manual updating ahead of you
>to bring it up-to-date and secure it. Unfortunately, the argument "
>apt-get, apt-upgrade" won't work, since many of these updates are not
>available as dpkg's yet.
Adding security.debian.org in your apt-rules list works just fine. A lot of
Debian maintainers fix security bugs in their packages, often before they
become publicly known.
An out-of-the-box Debian system will only have the security bugs that have
become publicly known after its release date, and these can be fixed with
the above-mentioned security updates.
>Debian has also ignored a lot of work other vendors have put into making their
>distributions more secure. If you don't learn from the mistakes and
>improvements of others, there is little hope. This is especially frustrat
>ing in light of Debian's effort to secure various parts of the distribution,
>using Exim by default instead of Sendmail.
>Having seen things like that during the install, I had a lot of hope for
>Debian, but my hopes were dashed to pieces upon closer inspection.
Debian is a distribution that _adds_ to the work other vendors do, making
their distributions more secure.
If you actually would would have taken a closer look (wich you obviously
haven't done), you would've seen there's a lot more work being done on the
security of Debian than you're mentioning.
Your article shows some knowledge of security in linux systems, but also a
very badly-informed, no-research, superficial look on Debian security
issues.
Greets,
Robert
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
Life is a sexually transmitted disease with 100% mortality.
Reply to: