[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ?-able packages for a firewall.

So do you think we can do away with bsdutils altogether without any

	Henry Hollenberg     speed@barney.iamerica.net 

On Wed, 4 Mar 1998, Bernd Eckenfels wrote:

> Hello,
> > I was told that /usr/bin/script was dangerous to leave on a firewall and
> > so planned to delete it by hand it the bsdutils were installed.
> No Program running without special priveleges is especially dangerous on a
> firewall. You have to watch:
> a) running priveleged programs (with interaction to the world)
> inetd, smtpd, apache...
> b) programs which get called often from priveleged programs
> login, perl, ...
> b2) programs which get called often from unpriveleged programs
> (i dont think you can call any process on a firewall unpriveleged, even user
> nobody can list the process table for example. Since Linux is no A- or B-
> Level OS, you can ignore those kind of tools.
> c) programs which are suid
> c1) and needed: bad thing, avoid
> c2) and not needed for operation: remove
> d) programs which are not needed for operation
> These are no security risks itself. Removing them will only give u:
>   d1) smaller system
>   d2) harder for hackers to work on a hacked host
> Script is not suid and never used, therefore it is a class d) program.
> (there might be systems where script is sgid tty or something like that, but
> I cant remeber any).
> > also had a concern about /usr/bin/logger but thought removing this might
> > break sysklogd.....should it be left alone?
> No, it will not break syslogd, but it will break a few shell scripts which
> log their actions. Its a class b) program i think. Or d) if you remove the
> scripts.


E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  e-mail to listmaster@debian.org .

Reply to: