[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Fri, Feb 13, 2004 at 06:41:19PM +0000, Andrew Suffield wrote:
> > > I think that regular Debian equals or beats the exact claims made as
> > > to openbsd's "security" (which aren't much - just regarding holes in
> > > the default install that can lead to a remote root compromise). Note
> > > that this mostly says "We have a default install that doesn't do
> > > anything, too".
> > 
> > Umm.. it's really a default install with no network services, which is 
> > usually quite ok for most users. Our "default" general install is much more 
> > bloated.
> And precisely how many network services does it include? Anything that
> doesn't listen on a network port can't be a remote root issue.
> (I checked first. Did you?)

Well, I was drawing from experience (I've hardened a number of Debian 

Ok, let me see, in woody:

1) exim listens to all remote ports, is installed as the default MTA and 
run by inetd
2) inetd comes with daytime, time and discard services enabled (that's 
the netkit-inetd package)
[that's just priority 'important']
[ priority 'standard' follows:]
3) portmapper is also enabled
4) nfs-common is also installed, which means lockd and statd RPC 
services are up and running
5) pidentd is priority 'standard', so you got the identd running through 
inetd too
6) the printer spooler server lpd, is also installed and open "free for 
7) OpenSSH is also installed

So a user going through the installation+no tasksel+dselect (i.e. a default
'standard' installation) would have 10 remote services open to the world.
Not all of them are potential attack vectors, obviously, and some are a 
functionality vs. exposure (security?) decission (portmap and allies and, 
probably, pidentd).

All of these might be mitigated if netbase configuration for tcp-wrappers
(see #62145), or iptables (see #212692) could be configured in a _very_
restricted way (i.e. default 'DENY')

This is less exposure [0] than a Solaris 9 default install [1], but more
than a RedHat 8 default install [2] (they cheat, they setup a firewall per
default since 7.2 :-) and bigger than an OpenBSD default install (IIRC it's
only openssh there and some inetd services, no portmaper since 3.2, no mail
listening daemon since 3.0, no printer daemon)

Notice I do believe that we are improving from release to release (exim4, 
for example, should not do in sarge what exim3 did on woody)

> > Also, the user-space has been audited, something we cannot say we have done
> > ourselves. [3]
> In and as of itself, that means nothing.
> Audited by who, how hard, with what objectives, for how long, and how
> much code was checked? How much of that code is actually shared with
> Debian? What about other independent auditing groups?

As far as I can "see" (from afar) OpenBSD has been audited by the same
people that work in the project, with a security perspective in mind (no
strcpy/strcat/sprintf/vsprintf which have been replaced with "safe" bound
checkings alternatives) for some time (they claim 1997). What? I believe
the kernel and much the BSD user-space (not all the applications in the
ports tree) looks like it has been audited. I don't have time to review all 
the CVS logs, but a number of vulnerabilities that have been 
found in *BSD did not apply to OpenBSD. I would need to dig out my database 
in order to tell you which ones, no time for that though.



[0] "Exposure" as defined by the number of network services that can be
accessed from outside hosts in a default install.
[1] http://www.infosecwriters.com/projects/osscan/sun9dr.php
[2] http://www.infosecwriters.com/projects/osscan/redhat8_dr.php

Attachment: signature.asc
Description: Digital signature

Reply to: