should i bother??

Scot L. Harris webid at cfl.rr.com
Thu Jan 13 21:41:16 UTC 2005 

Message reordered to fix top posting.

On Thu, 2005-01-13 at 15:44, O'Neill, Donald (US - Deerfield) wrote:

> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Alexander Dalloz
> Sent: Thursday, January 13, 2005 2:19 PM
> To: For users of Fedora Core releases
> Subject: Re: should i bother??
> 
> Am Do, den 13.01.2005 schrieb O'Neill, Donald (US - Deerfield) um 15:55:
> 
> > As for the local root exploit, unless you have untrusted users with
> > shell accounts on your machine, the 'local exploit' is a not a issue.
> 
> No, no and no. Possible local root exploits are always, under each
> circumstance a risk. There is no excuse not updating by installing a
> bugfix kernel.
> 
> Alexander
> 


> Since this is a home user, I'll ponder your advice with a grain of salt.
> If the user upgrades and everything works perfectly, then fine, it's a
> worthy task. But with all the kernel upgrades causing problems in this
> and other mailing lists, disruption of service (availability) is a
> fundamental principle of security. In effect, you've just caused
> something your trying to prevent. 
> 
> Each scenario is different, if this particular user has no open services
> available on this box, the possibility of someone compromising the
> system are insignificant. Properly configured security layers prevent
> this from happening in the first place. 
> 
> In the enterprise environment, updates/changes break things very easily
> and unless you don't care about service delivery, this would not be a
> good idea.. 

Having your server updated with the latest security patches IS one of
the layers of defense you talk about.  And that is the one where some
how a hacker finds a way to get standard user account access on your
system.  He then uses the exploit that you did not patch because you
only relied on some external security measures.  

Hard and crunchy on the outside and soft and chewy on the inside.  This
is not a good security model.  All it takes is one crack in that hard
outer shell and your systems get owned.

And if you don't practice all or as many of the best security practices
all the time one day it will come back to bite you.  Lets say this user
at the moment does not have any open services or ports on their system
so they ignore several security updates feeling pretty secure in their
situation.  A month or two down the road the user decides to enable http
for a small web page they want to host.  Shortly after opening the ports
the users system is hacked due to a security bug in http and because
they did not have their OS patched the hacker was able to gain root
access very easily.  Ooops, the user forgot about those security
patches.  By not trying to follow best practices all the time people
back themselves into problems without ever realizing it.


-- 
Scot L. Harris
webid at cfl.rr.com

Sendmail may be safely run set-user-id to root.
		-- Eric Allman, "Sendmail Installation Guide"

More information about the fedora-list mailing list