On Fri, Aug 24, 2001 at 11:27:20PM -0400, Andres Salomon wrote: > What difference does it make, whether it's remote or not? A root > vulnerability is something that one would want to avoid, as agreed. this common attitude of `we don't have untrusted users so local security doesn't matter' is flawed. take a web server where you have cgi scripts, but do not have any untrusted users, thus you don't bother keeping local security tight, or bother installing fixes for local security holes. then one day someone hacks one of your cgi scripts and gets uid=www-data, now since you decided that local security doesn't matter this www-data compromise becomes a uid=0 compromise within minutes. this is a real world example folks, whether you have untrusted local users or not you MUST treat all security holes/risks equal. saying `oh thats local, its not [very] important' is utter foolishness. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp5RSLFVjKkm.pgp
Description: PGP signature