[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange log entry



On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote:
> On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote:
> > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote:
> > > >
> > > BS, when was the last time you installed OpenBSD?  I just did an install
> > 
> > 2.5
> That was what, 2 years ago?

1.5 years or so yes, i haven't messed with openbsd in a while, i was going
to use it for my firewall but there were some problems with it so i
ditched in favor of debian.  OpenBSD's security reputation is a bit
exaggerated, with some good admining a linux box can be just as
secure...

i was also quite annoyed by its complete lack of upgradability, i
tried twice in testing to upgrade the dist from one version to another
it failed and made a mess every time, screw that i don't think much of
rebuilding a box every 6mo -> 1 year just to keep up with the times.  

> Ah, they probably caught the problem shortly before 2.6 release,
> and didn't have time to fix ftp code, but changing rc.conf was doable.

heh your almost as cynical as i am ;-)

> Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat,
> sshd and identd are enabled by default.  

hmm maybe my memory is funky but that seems like more then i saw out
of the box... it still had more crap running then i prefer. 

> Like I said, I didn't want to start a discussion about OpenBSD vs Linux,
> I have seen posts from you saying that you like some features of OpenBSD,
> /sbin/nologin for example.

its a nice system, i like the simplicity and clean design, its like
debian in that.  but upgrading the whole thing is simply impossible.
well maybe grabbing all source from CVS and doing make world will do
it, but i didn't try it.  the `official' upgrade system is broken.  

> I'm just curious why the 'r' tools are apparently so vulnerable in 
> Linux.  If the OpenBSD folks are willing to risk creditability by 
> claiming that their default install has no remote holes, while
> enabling portmap and rstatd by default, why can't Linux users feel 
> safe running those daemons also?

well openbsd claims to have audited everything they enable by default,
and everything in their base install (which is VERY lean).  from
reading bugtraq they seem to have a very bad habit about fixing bugs
quietly and not bothering to send patches upstream, instead posting
sarcastic messages along the lines of `oh yeah we fixed that in CVS 3
years ago' (check out the recent joe DEADJOE vulnerabity for an
example). 

of course i could be wrong, and all upstream developers are just
blackholing openbsd security patches. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpyJhbPwaV6y.pgp
Description: PGP signature


Reply to: