Reco wrote: > Bob Proulx wrote: > > And one must be careful of throwing stones. For example Debian does > > not provide a firewall by default. And it is debatable if it needs > > one. Many people don't configure one. Many people do. It all > > depends upon many things about the use case. I don't put one on > > internal machines. But I do put one on front facing machines. > > That's Debian fault indeed. But at least they don't include any network > services worth speaking of (should we count NFS portmapper, or not?) in > an installation produced by netboot.
Is 'rpcbind' installed by default? I will need to look. I wonder why it would be there? > > That is an exaggeration. For one it would need to be a local exploit > > for sudo to come in play. > > Ok, let's say … CVE-2010-0427. Somewhat old, but possible. CVE-2010-0427 is a local only exploit. (Failure to reset group permissions properly.) So it would need to be a locally known user in order to exploit it. Not the same as having written the password on a T-shirt and wearing it around. > > Therefore it would require a local user to > > attack it. A local access attack. > > SSH or telnet which is given such user for any legitimate purpose > will do just fine. Yes. But as described on these old Unix systems they are almost certainly part of the company, part of the family. There are different levels of security needed to get jobs done. Not every system needs to have ultimate security applied to it. And again it isn't the same as putting it on a T-shirt and wearing it around. > > The password on a t-shirt would require simply require someone who > > could walk by the admin and see it to gain remote access. > > Hmm. Usually they keep developers, end users and sysadmins separated > here. So it's basically the same access complexity. Goodness forbid that developers would ever talk with users or sysadmins! :-( > And sudo isn't that important. There's always Swiss-cheese > web-interfaces today :) People are writing new bugs every day! Those that do not study history are doomed to repeat it. Bob
signature.asc
Description: Digital signature
