On Wednesday, October 17, 2001, at 10:32 AM, Cranz, Gregory wrote: > And Solaris, IRIX, Linux, AIX, and any other flavor of UN*X you get > ALSO ALL > need SERIOUS work out of the box to make them secure.
yup. and i can attest that at SGI a lot of work went into tightening the OS up as shipped, and in providing scripts to help the admin further secure the machine. however, that only goes so far; security of the local configuration is a local administration issue. the default installed configuration of MacOS X seems to me to be quite reasonable, security-wise, relative to UNIX distribution norms. nonetheless, it's useful to distinguish between security flaws due to misconfiguration and those due to bad design or coding. the behavior that Randall initially reported is bad design and/or coding. i do note, however, that attempting to securing a UNIX box when there is direct physical access is rarely a useful endeavor -- if you can force a reboot from an arbitrary volume, or heck, yank the hard drive, it just ain't secure... if there is a remote exploit of this general SUID problem, that's the place to start worrying. that and the obvious implications about trusting a remote public MacOS X box. > I suggest that we start a document that can be circulated to outline the > steps that should be taken to secure OS/X. Similar documents exist for > all > of the above platforms I mentioned. yup. though this may not be the right list to host such work. except, i guess, where Perl can be used to secure or test the security of a configuration. and where Perl itself presents security issues. i expect the former is likely, and later (from the bad design/coding viewpoint) unlikely (except where generally understood, and already well documented). (hmm, well, mod_perl gets tricky, but it's not loaded in the default httpd config). > I don't think we should leave it to Apple to make us secure. yup. but they shouldn't ship gratuitous security holes. > There's several million people who made the same mistake with > Micro$oft & I think we > all know just how much effort they put into security... > Macro virus anyone? pathetic... yup. but then again, they're the big fat easy target. let's hope that in a few years you aren't saying the same about Apple Script viruses. or maybe we should hope that... -Greg -- www.suddensound.com --
