Re: ?-able packages for a firewall.
So do you think we can do away with bsdutils altogether without any
problem?
Henry Hollenberg speed@barney.iamerica.net
On Wed, 4 Mar 1998, Bernd Eckenfels wrote:
> Hello,
>
> > I was told that /usr/bin/script was dangerous to leave on a firewall and
> > so planned to delete it by hand it the bsdutils were installed.
>
> No Program running without special priveleges is especially dangerous on a
> firewall. You have to watch:
>
> a) running priveleged programs (with interaction to the world)
> inetd, smtpd, apache...
>
> b) programs which get called often from priveleged programs
> login, perl, ...
>
> b2) programs which get called often from unpriveleged programs
> (i dont think you can call any process on a firewall unpriveleged, even user
> nobody can list the process table for example. Since Linux is no A- or B-
> Level OS, you can ignore those kind of tools.
>
> c) programs which are suid
> c1) and needed: bad thing, avoid
> c2) and not needed for operation: remove
>
> d) programs which are not needed for operation
> These are no security risks itself. Removing them will only give u:
> d1) smaller system
> d2) harder for hackers to work on a hacked host
>
> Script is not suid and never used, therefore it is a class d) program.
> (there might be systems where script is sgid tty or something like that, but
> I cant remeber any).
>
> > also had a concern about /usr/bin/logger but thought removing this might
> > break sysklogd.....should it be left alone?
>
> No, it will not break syslogd, but it will break a few shell scripts which
> log their actions. Its a class b) program i think. Or d) if you remove the
> scripts.
hgh
--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to listmaster@debian.org .
Reply to: