Re: Debian 2.2 and security - SecurityPortal article

To: debian-user@lists.debian.org
Cc: seifried@securityportal.com
Subject: Re: Debian 2.2 and security - SecurityPortal article
From: Thomas Guettler <guettli@interface-business.de>
Date: Wed, 30 Aug 2000 14:47:44 +0200
Message-id: <20000830144744.H1299@gurkensalat.interface-business.de>
Reply-to: Thomas Guettler <guettli@interface-business.de>
In-reply-to: <20000830115557.A3266@mail.tpi.pl>; from BigL@tpi.pl on Wed, Aug 30, 2000 at 11:55:57AM +0200
References: <20000830115557.A3266@mail.tpi.pl>

On Wed, Aug 30, 2000 at 11:55:57AM +0200, Leszek Gerwatowski wrote:
> On SecurityPortal there is an article about Debian 2.2 security:
> 
> http://www.securityportal.com/closet/closet20000830.html
> 
> Just read it and tell me what you think about it.

The Author (Kurt Seifried) makes the newbie believe Debian2.2
is not secure, but you should look at it more close.

quote: "The next default that really ticks me off is the password encryption scheme - 
the default is to use crypt. "

A half year ago I installed debian-potato and I newer heard of MD5 before, 
but the displayed text informed me very well on what to choose. If you are
too lazy to read these lines, you shouldn't try to set up a secure system.
BTW, potato stores passwords in /etc/shadow, so that you need to be root
to read the encrypted passwords (except you use NIS)

quote: "Discard, daytime, time, shell, login, and exec (r services) are all 
enabled by default"

The first three are enabled, but I think that is no security problem.
But shell, login, exec are not enabled on my system, at least on my system.
Has someone a fresh installation to tell us what the default is?

gnuplot and exim paragraph can be ignored.

dpkg && pgp: Can say something about this. 

Home-directories by default world-readable: I have nothing to hide.
If I would have something to hide I would use encryption and not
chmod. I work together with the other users, I want them to see my 
work and I want to see theirs.

LILO-problem: If you have physical access to the machine, you can
boot from a rescue disk and get root everytime. (Except you use
a encrypted filesystem).

Complain about old Apache, ProFTP: If you always want the latest
fixes, you need to get the stuff from the sources (Eg www.apache.org)

quote:
"Debian's goal of a bug free-release hasn't been met. 
But to be fair, it's not like any software vendor will ever release
bug-free software. Debian has done a particularly bad job in my opinion, 
shipping out-of-date software and
especially publicly available network daemons that have root hacks in them."

Bug-free can mean both: Security-bug-free and Stability-bug-free. 
Install OpenBSD if you are paranoid about security.

-- 
Thomas Guettler
Office: <guettli_NoSpam_interface-business.de> www.interface-business.de
Private:<guettli_NoSpam_gmx.de>  http://yi.org/guettli
(Replace _NoSpam_ with @)

Reply to:

Follow-Ups:
- Re: Debian 2.2 and security - SecurityPortal article
  - From: Sven Burgener <svenb@bluewin.ch>
- Re: Debian 2.2 and security - SecurityPortal article
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: Debian 2.2 and security - SecurityPortal article
  - From: "A. Wrasman" <awrasman@enchanted.net>

References:
- Debian 2.2 and security - SecurityPortal article
  - From: Leszek Gerwatowski <BigL@tpi.pl>

Prev by Date: Security Flaws on Slashdot
Next by Date: RE: Security Flaws on Slashdot
Previous by thread: Re: Debian 2.2 and security - SecurityPortal article
Next by thread: Re: Debian 2.2 and security - SecurityPortal article
Index(es):
- Date
- Thread