On Mon, Oct 28, 2013 at 11:45:03AM -0600, Bob Proulx wrote: > Reco wrote: > > Bob Proulx wrote: > > > And one must be careful of throwing stones. For example Debian does > > > not provide a firewall by default. And it is debatable if it needs > > > one. Many people don't configure one. Many people do. It all > > > depends upon many things about the use case. I don't put one on > > > internal machines. But I do put one on front facing machines. > > > > That's Debian fault indeed. But at least they don't include any network > > services worth speaking of (should we count NFS portmapper, or not?) in > > an installation produced by netboot. > > Is 'rpcbind' installed by default? I will need to look. I wonder why > it would be there?
Part of a NFS client, I guess. Package is not marked as an essential one, though. Running a diskless client over NFS would be a curious trick without NFS support enabled. > > > That is an exaggeration. For one it would need to be a local exploit > > > for sudo to come in play. > > > > Ok, let's say … CVE-2010-0427. Somewhat old, but possible. > > CVE-2010-0427 is a local only exploit. (Failure to reset group > permissions properly.) So it would need to be a locally known user in > order to exploit it. Not the same as having written the password on a > T-shirt and wearing it around. I fail to see how one could be given an SSH access to the host, be able to use sudo (and do so successfully), and still not be a local user. I must miss something here, can you please enlighten me? > > SSH or telnet which is given such user for any legitimate purpose > > will do just fine. > > Yes. But as described on these old Unix systems they are almost > certainly part of the company, part of the family. There are > different levels of security needed to get jobs done. Not every > system needs to have ultimate security applied to it. And again it > isn't the same as putting it on a T-shirt and wearing it around. Servers are usually differentiated by their lifecycle status indeed. Purpose of testing and development servers that don't even try to mimic production environment always eluded me. > > > The password on a t-shirt would require simply require someone who > > > could walk by the admin and see it to gain remote access. > > > > Hmm. Usually they keep developers, end users and sysadmins separated > > here. So it's basically the same access complexity. > > Goodness forbid that developers would ever talk with users or > sysadmins! :-( Not funny. That's exactly what goes on here usually. About the only people who can (and will) speak to everybody are helpdesk and HRs. Old 'divide and rule' principle applied at a shop level. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028180553.GA29376@x101h
