[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Sat, Feb 14, 2004 at 08:48:44PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Fri, Feb 13, 2004 at 06:41:19PM +0000, Andrew Suffield wrote:
> > > > I think that regular Debian equals or beats the exact claims made as
> > > > to openbsd's "security" (which aren't much - just regarding holes in
> > > > the default install that can lead to a remote root compromise). Note
> > > > that this mostly says "We have a default install that doesn't do
> > > > anything, too".
> > > 
> > > Umm.. it's really a default install with no network services, which is 
> > > usually quite ok for most users. Our "default" general install is much more 
> > > bloated.
> > 
> > And precisely how many network services does it include? Anything that
> > doesn't listen on a network port can't be a remote root issue.
> > 
> > (I checked first. Did you?)
> Well, I was drawing from experience (I've hardened a number of Debian 
> systems).
> Ok, let me see, in woody:
> 1) exim listens to all remote ports, is installed as the default MTA and 
> run by inetd

Can't remember any remote root holes in exim.

> 2) inetd comes with daytime, time and discard services enabled (that's 
> the netkit-inetd package)

Harmless, if silly.

> [that's just priority 'important']
> [ priority 'standard' follows:]
> 3) portmapper is also enabled
> 4) nfs-common is also installed, which means lockd and statd RPC 
> services are up and running

I'd have classified those as one, but whatever; I can only think of
one remote root exploit here (rpc.statd, a few years ago).

> 5) pidentd is priority 'standard', so you got the identd running through 
> inetd too

This one's pretty silly too. But I don't recall any security holes in it.

> 6) the printer spooler server lpd, is also installed and open "free for 
> all"

I remember one in lprng, but not lpd.

> 7) OpenSSH is also installed

I think we've had more security holes from this than all the others
put together. Hi there, OpenBSD.

> > > Also, the user-space has been audited, something we cannot say we have done
> > > ourselves. [3]
> > 
> > In and as of itself, that means nothing.
> > 
> > Audited by who, how hard, with what objectives, for how long, and how
> > much code was checked? How much of that code is actually shared with
> > Debian? What about other independent auditing groups?
> As far as I can "see" (from afar) OpenBSD has been audited by the same
> people that work in the project, with a security perspective in mind (no
> strcpy/strcat/sprintf/vsprintf which have been replaced with "safe" bound
> checkings alternatives) for some time (they claim 1997). What? I believe
> the kernel and much the BSD user-space (not all the applications in the
> ports tree) looks like it has been audited. I don't have time to review all 
> the CVS logs, but a number of vulnerabilities that have been 
> found in *BSD did not apply to OpenBSD. I would need to dig out my database 
> in order to tell you which ones, no time for that though.

You appear to have missed the point. "Audited" means nothing alone,
and can't be quantified. As such it's just a buzzword in this context.

Nobody can prove, or even convincingly demonstrate, that these actions
regarding OpenBSD have improved real-world security or done anything
but waste time. So it's not much of a selling point.

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

Reply to: