Re: rlinetd security

To: Tim Haynes <debian@stirfried.vegetable.org.uk>
Cc: debian-security@lists.debian.org
Subject: Re: rlinetd security
From: maney@pobox.com (Martin Maney)
Date: Mon, 18 Jun 2001 15:24:20 -0500
Message-id: <[🔎] 20010618152420.A18409@furrr.two14.net>
Reply-to: maney@pobox.com
In-reply-to: <[🔎] 86sngx60r0.fsf@potato.vegetable.org.uk>; from debian@stirfried.vegetable.org.uk on Mon, Jun 18, 2001 at 08:34:11PM +0100
References: <[🔎] 005a01c0f82a$26c1bdc0$48bb42cf@mis1.wrv.com> <[🔎] 86sngx60r0.fsf@potato.vegetable.org.uk>

On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote:
> Well, it depends. You can never tidy up a rooted box; the same mentality
> sort of applies all the way down - if you're setting up a box, why worry
> about installing this and uninstalling that, when your original
> installation shouldn't have had anything enabled in the first place? (And
> yes, you can push that back into the distro, too.)

Sure, you can have a distro that doens't install any services.  Heck,
consider local exploits and you may decide that "login considered harmful"
isn't too great a stretch...  :-)

I have to take issue with your attempt to draw a aparallel to a rooted box. 
It *is* possible to cleanup the newly installed box because you can
reasonably assume that it hasn't been maliciously setup to resist the
cleanup.

> Surely software you install on production machines has its requirements
> either satisfied by the wonder that is apt-get, or documented properly? You
> can, and should, start from blank and add things as you need.

Could I agree with the minimalist sentiment while yet observing that
apt-get, wonderful as it is, cannot satisfy requirements that come not from
packages installed on this machine, but from other machines - possibly ones
that aren't even using Debian?

At the same time, I would like to agree with the sentiment that has been
expressed a few times.  "If you don't know what it's for, shut it off."  I
think the unstated part that some may have overlooked is that if you need
something but don't know it, then you owe it to yourself (and your
employers, if that's the sort of situation it is) to find out what's there. 
This is how sysadmins lose their hair!

-- 
There has grown up in the minds of certain groups in this country
the notion that because a man or corporation has made a profit
out of the public for a number of years, the government and the courts
are charged with the duty of guaranteeing such profit in the future,
even in the face of changing circumstances and contrary public interest.
This strange doctrine is not supported by statute nor common law.  -- RAH

Reply to:

Follow-Ups:
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>

References:
- RE: rlinetd security
  - From: "Pat Moffitt" <pmoffitt@wrv.com>
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>

Prev by Date: Re: gnupg problem
Next by Date: Re: gnupg problem
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread