Re: rlinetd security

To: maney@pobox.com
Cc: Tim Haynes <debian@stirfried.vegetable.org.uk>, debian-security@lists.debian.org
Subject: Re: rlinetd security
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 18 Jun 2001 21:41:52 +0100
Message-id: <[🔎] 87ithtsepb.fsf@stirfried.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20010618152420.A18409@furrr.two14.net>
References: <[🔎] 005a01c0f82a$26c1bdc0$48bb42cf@mis1.wrv.com> <[🔎] 86sngx60r0.fsf@potato.vegetable.org.uk> <[🔎] 20010618152420.A18409@furrr.two14.net>

maney@pobox.com (Martin Maney) writes:

> On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote:
>
> > Well, it depends. You can never tidy up a rooted box; the same
> > mentality sort of applies all the way down - if you're setting up a
> > box, why worry about installing this and uninstalling that, when your
> > original installation shouldn't have had anything enabled in the first
> > place? (And yes, you can push that back into the distro, too.)
> 
> Sure, you can have a distro that doens't install any services. Heck,
> consider local exploits and you may decide that "login considered
> harmful" isn't too great a stretch... :-)

Well, smiley noted, but the list of users who have what kind of access to
the box has to be considered.

> I have to take issue with your attempt to draw a aparallel to a rooted
> box. It *is* possible to cleanup the newly installed box because you can
> reasonably assume that it hasn't been maliciously setup to resist the
> cleanup.

Well, if you can assume that, sure. But the parallel really comes in saying
you half-way don't know what to look for, or might miss something. That's
why I'm in favour of pushing some things into the distro
installation-default area.

> > Surely software you install on production machines has its requirements
> > either satisfied by the wonder that is apt-get, or documented properly? 
> > You can, and should, start from blank and add things as you need.
> 
> Could I agree with the minimalist sentiment while yet observing that
> apt-get, wonderful as it is, cannot satisfy requirements that come not
> from packages installed on this machine, but from other machines -
> possibly ones that aren't even using Debian?

Sure; that's where `or documented properly' comes in.

> At the same time, I would like to agree with the sentiment that has been
> expressed a few times. "If you don't know what it's for, shut it off." I
> think the unstated part that some may have overlooked is that if you need
> something but don't know it, then you owe it to yourself (and your
> employers, if that's the sort of situation it is) to find out what's
> there.

It's been mentioned very en-passant, as has `but I don't have the time to
investigate everything', which makes my caffeine^Wblood boil.

>  This is how sysadmins lose their hair!

Tell me about it. 

My take on the whole thing is that you're building a test box internally
first *anyway*, if you don't know exactly how to set up a live machine;
then you investigate, kill off everything your reading of the manuals
allows you to, on the simple grounds that you don't want it to turn around
& bite you later on, and you're on a test box so any breaks won't matter
and you'll learn in the process.
Leaving stuff open because `there aren't any known holes at the moment
doesn't really wash here :( .

~Tim
-- 
But mountains are holy places,              |piglet@stirfried.vegetable.org.uk
And beauty is free / We can still walk      |http://spodzone.org.uk/
Through the garden                          |
Our earth was once green                    |

Reply to:

References:
- RE: rlinetd security
  - From: "Pat Moffitt" <pmoffitt@wrv.com>
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: rlinetd security
  - From: maney@pobox.com (Martin Maney)

Prev by Date: Re: gnupg problem
Next by Date: Re: gnupg problem
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread