begin quoting JD Runyan as of Tue, Apr 19, 2005 at 10:37:54AM -0500: [snip] > Unless the web browser has the TCP/IP stack built into it, and launches > only when you are browsing the web, then the system is running as a > multi-user networked computer. There are risks here, and the first step > to mitigating the risk is isolating the system's file from the user's files.
Why? The user's files are important. The system's files include those things that allow a malicious program to damage the user's files. > If you are connecting to a network, there are necessary daemons running > to make this happen. Which ones? > They must run as a user. Most distros run these as > users other than root. If you are root, then you can manipulate these > services, and program you are running can do so as well. If any of > these daemons listen on network ports, then you are inviting some sort No, we're presuming a single-user system. Nothing is listening on a port. > of connection to your system from other systems/users. Its a multi-user > operating system, thus you cannot assume a single user world, even if > only one person ever touches the keyboard. This is precisely what has I don't think 'single-user' means the same thing to you as it does to me. :) > caused MS' heartburn. They started as a true single-user OS, and have > added multi-user features to the system over the years. Why should > anyone encourage Linux, a multi-user OS, to behave as if it is a > single-user OS. Because Linux has a goal of world domination, and that apparently includes the single-user market. [snip] > I was referring more to the OS. Once the OS is compromised, then your > system can be rendered unusable. Who cares about the OS? Once your data is corrupted or deleted, then your system _is_ unusable. > I would mention that it could be used > to attack others, but since we are only concerned with ourselves here, > that probably doesn't matter either. Yup. -Stewart "I can reinstall the OS so long as my data is safe." Stremler
pgpTSmYvhTFza.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
