On Thu, 28 Jul 2005, Nick Rout wrote:
I agree, people were critical when distros shipped with many service
turned on. We cannot have it both ways. Although X11 is network friendly,
most people in fact have very little use for this. The situation of
server + X terminals is far less common than standalone X servers. (ie
connecting only to clients on the same box).
I call it concrete block security.
It's secure because it does nothing useful.
It's the wrong fix for the problem. For example access via ssh can be
turned off in so many places (sshd not installed, not enabled in
xinetd.conf, disabled in pam (several places), firewalled out,....) that
on some distro's it can be a day or two's effort to get it working.
(Especially since several things can be broken at once, debugging is
hard.)
Apache is getting like that too. Everytime I install and tweak it, I have
to fight httpd.conf, xinetd.conf, firewall, security permissions at the
httpd level, security permissions at the unix level, security permissions
on every path element on the way to the document I want displayed and in
httpd directory security permissions. Sometimes I'm gently amazed it ever
works.
Thus if everything is "off by default" the task of getting it to work can
be just too hard. Instead of Linux saving you time, configuring it around
paranoid security loses you time.
All the services have good enough authentication mechanisms, but bugs in
the service permit security breaches.
Thus the right fix is not to disable everything, but to fix the @^%#
bugs.
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : [EMAIL PROTECTED]
New Zealand
Carter's Clarification of Murphy's Law.
"Things only ever go right so that they may go more spectacularly wrong later."
From this principle, all of life and physics may be deduced.
