"Brian A. Stumm" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Mon, 15 Sep 2003, Serpent wrote: > > > > > ----- Original Message ----- > > From: "Brian A. Stumm" <[EMAIL PROTECTED]> > > > > > > > On Mon, 15 Sep 2003, Ryan Schulze wrote: > > > > > > > Brian A. Stumm wrote: > > > > > > > > >On Mon, 15 Sep 2003, Daniel Stroven wrote: > > > > > > > > > > > > > > > > > > > >>Those #'s look awesome, but for security purposes, 2.4.9 is not really > > a > > > > >>kernel I want running. As pointed out by my friend matt, the > > difference in > > > > >>2.4.9 from 2.4.10 and higher is the VM used. But exploits like ptrace > > and > > > > >>others could make it vulnerable to remote exploits. We are going to > > test > > > > >>the kernel on the box to see results of usage. But, I doubt we will > > keep it > > > > >>if we can not make it extremely secure. > > > > >> > > > > >> > > > > > > > > > >how does this affect a box that only allows traffic on ports used by > > half > > > > >life servers? > > > > > > > > > remember that security hole in hlds where you could get a shell on the > > > > box running half-life? > > > > the fw will have to have more relaxed rules on outgoing traffic from the > > > > box (e.g. for VAC checks) > > > > if all else fails one could kill the hlds process and bind the shell to > > > > the hlds port. > > > > > > > > got root? *g* > > > > > > How does this pertain to the kernel version you run, thats a hlds hole not > > > a kernel hole. > > > > Go to http://www.securityfocus.com and type in "linux kernel" in the search > > box. Then you will see why to use the latest kernel when possible. > > I still dont see how this applies to a box that is locked down from the > outside world except on a single port ie 27015 which is being answered by > the hlds process which is running non root. Its the routers job at this > point to keep the system safe, since its refusing connections on the other > ports. And its hlds' job to keep port 27015 safe. No matter what kernel > you run in this situation its still boiling down to your router/firewall > (assume an external hardware solution here please) and hlds keeping > intruders out. It also boils down to being smart enough not to run hlds as > root. What am I missing? >
And that is exactly your fundamental flaw, you actually trust valve that they develop completely secure software, and that if a flaw is found, that they will patch it quickly and on time..... like they did with the previous bug they knew 4 months off and ignored until it was out in the open :) And since you think you are secure for not running hlds as root, well whats the point in that when you run a kernel vulnerable to the ptrace bug ? You can run your hlds as root since it wont really matter with such a old kernel. _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
