On Thu Mar 13, 2003 at 08:26:23PM +0100, Henri wrote: > OpenSource is said to be more secure : a question has come to my mind : > before releasing the 9.1, will there be a security audit on critical > apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes > like the shutdown one, no ?
You're kidding, right? A security audit in two days? I agree that performing an audit on Mandrake tools is important, it's laughable to suggest we audit every piece of software we include. No other vendor has done this, even those who profess to have secure Linux distros. The only exception to this is OpenBSD, but they also still ship BIND4 IIRC. The "big hole" in shutdown is a configuration flaw, not necessarily a flaw in any one program. A mistake was made in assuming that removing /usr/bin/shutdown was enough; this was proven to be inaccurate. To completely remove this, the /etc/pam.d/shutdown file needs to be removed as well... consolehelper doesn't really do anything on it's own other than talk to pam, and pam was still allowing it. So a config file needs to removed. Yes, little things like this need to be checked and avoided. But asking us to do a wholesale security audit based on this one situation is not entirely realistic. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
