should i bother??

Fri Jan 14 16:38:19 UTC 2005

Scot L. Harris wrote:
> Message reordered to fix top posting.
> 
> On Thu, 2005-01-13 at 15:44, O'Neill, Donald (US - Deerfield) wrote:
> 
> 
>>-----Original Message-----
>>From: fedora-list-bounces at redhat.com
>>[mailto:fedora-list-bounces at redhat.com] On Behalf Of Alexander Dalloz
>>Sent: Thursday, January 13, 2005 2:19 PM
>>To: For users of Fedora Core releases
>>Subject: Re: should i bother??
>>
>>Am Do, den 13.01.2005 schrieb O'Neill, Donald (US - Deerfield) um 15:55:
>>
>>
>>>As for the local root exploit, unless you have untrusted users with
>>>shell accounts on your machine, the 'local exploit' is a not a issue.
>>
>>No, no and no. Possible local root exploits are always, under each
>>circumstance a risk. There is no excuse not updating by installing a
>>bugfix kernel.
>>
>>Alexander
>>
> 
> 
> 
>>Since this is a home user, I'll ponder your advice with a grain of salt.
>>If the user upgrades and everything works perfectly, then fine, it's a
>>worthy task. But with all the kernel upgrades causing problems in this
>>and other mailing lists, disruption of service (availability) is a
>>fundamental principle of security. In effect, you've just caused
>>something your trying to prevent. 
>>
>>Each scenario is different, if this particular user has no open services
>>available on this box, the possibility of someone compromising the
>>system are insignificant. Properly configured security layers prevent
>>this from happening in the first place. 
>>
>>In the enterprise environment, updates/changes break things very easily
>>and unless you don't care about service delivery, this would not be a
>>good idea.. 
> 
> 
> Having your server updated with the latest security patches IS one of
> the layers of defense you talk about.  And that is the one where some
> how a hacker finds a way to get standard user account access on your
> system.  He then uses the exploit that you did not patch because you
> only relied on some external security measures.  
> 
> Hard and crunchy on the outside and soft and chewy on the inside.  This
> is not a good security model.  All it takes is one crack in that hard
> outer shell and your systems get owned.
> 
> And if you don't practice all or as many of the best security practices
> all the time one day it will come back to bite you.  Lets say this user
> at the moment does not have any open services or ports on their system
> so they ignore several security updates feeling pretty secure in their
> situation.  A month or two down the road the user decides to enable http
> for a small web page they want to host.  Shortly after opening the ports
> the users system is hacked due to a security bug in http and because
> they did not have their OS patched the hacker was able to gain root
> access very easily.  Ooops, the user forgot about those security
> patches.  By not trying to follow best practices all the time people
> back themselves into problems without ever realizing it.
> 
> 
I always install kernel updates when they're released, mostly for the reasons above.  I keep at least one previous kernel installed in case it breaks something, but so far it hasn't.  While it's always possible that in closing one security hole another is opened, I trust the kernel developers to take every reasonable precaution not to let this happen.  Also, you're better off closing older and better known holes than newer unknown ones, all else being equal.  

Also, the power off bug mentioned on this forum a few weeks ago has apparently been fixed.  It took me a while to notice, so unimportant is that feature to me, but the laptop users were understandably annoyed.

 --
David Liguori