On Sat, Feb 14, 2004 at 08:48:44PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > On Fri, Feb 13, 2004 at 06:41:19PM +0000, Andrew Suffield wrote: > > > > I think that regular Debian equals or beats the exact claims made as > > > > to openbsd's "security" (which aren't much - just regarding holes in > > > > the default install that can lead to a remote root compromise). Note > > > > that this mostly says "We have a default install that doesn't do > > > > anything, too". > > > > > > Umm.. it's really a default install with no network services, which is > > > usually quite ok for most users. Our "default" general install is much more > > > bloated. > > > > And precisely how many network services does it include? Anything that > > doesn't listen on a network port can't be a remote root issue. > > > > (I checked first. Did you?) > > Well, I was drawing from experience (I've hardened a number of Debian > systems). > > Ok, let me see, in woody: > > 1) exim listens to all remote ports, is installed as the default MTA and > run by inetd Can't remember any remote root holes in exim. > 2) inetd comes with daytime, time and discard services enabled (that's > the netkit-inetd package) Harmless, if silly. > [that's just priority 'important'] > [ priority 'standard' follows:] > 3) portmapper is also enabled > 4) nfs-common is also installed, which means lockd and statd RPC > services are up and running I'd have classified those as one, but whatever; I can only think of one remote root exploit here (rpc.statd, a few years ago). > 5) pidentd is priority 'standard', so you got the identd running through > inetd too This one's pretty silly too. But I don't recall any security holes in it. > 6) the printer spooler server lpd, is also installed and open "free for > all" I remember one in lprng, but not lpd. > 7) OpenSSH is also installed I think we've had more security holes from this than all the others put together. Hi there, OpenBSD. > > > Also, the user-space has been audited, something we cannot say we have done > > > ourselves. [3] > > > > In and as of itself, that means nothing. > > > > Audited by who, how hard, with what objectives, for how long, and how > > much code was checked? How much of that code is actually shared with > > Debian? What about other independent auditing groups? > > As far as I can "see" (from afar) OpenBSD has been audited by the same > people that work in the project, with a security perspective in mind (no > strcpy/strcat/sprintf/vsprintf which have been replaced with "safe" bound > checkings alternatives) for some time (they claim 1997). What? I believe > the kernel and much the BSD user-space (not all the applications in the > ports tree) looks like it has been audited. I don't have time to review all > the CVS logs, but a number of vulnerabilities that have been > found in *BSD did not apply to OpenBSD. I would need to dig out my database > in order to tell you which ones, no time for that though. You appear to have missed the point. "Audited" means nothing alone, and can't be quantified. As such it's just a buzzword in this context. Nobody can prove, or even convincingly demonstrate, that these actions regarding OpenBSD have improved real-world security or done anything but waste time. So it's not much of a selling point. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature