On Tue, Dec 11, 2007 at 12:52:56AM -0500, [EMAIL PROTECTED] wrote: > On Dec 11, 2007 12:30 AM, Porkchop <[EMAIL PROTECTED]> wrote: > > > > Have an open mind. Just that one can't think of a situation in which > > this would be a good idea doesn't mean there is no case in which this is > > a good idea. > > Ok, I'm trying but I really can't imagine any good reason to execute a > shell script directly fetched over HTTP. Not on a private lan, not > anywhere. HTTP is completely unencrypted, and it's easily spoofable. > If you can live with that, so be it..
Actually, most network linux installers use HTTP, and run code off of an
HTTP server. It's all about levels of risk.
If you control your own network, you are on switched hardware, and you
are referencing your server by IP (within your own network), you're not
doing so bad when it comes to security to use HTTP.
> > Imagine being given the task of installing linux onto 400 machines.
> > Whats the easiest, most straightforward and extensible way? What I did
> > for a datacenter was make a barebones bootcd (actually, it was small
> > enough for a floppy) with just enough brains to do exactly what Michael
> > is attempting to do. (incidentally, I was running the whole thing as
> > root; no need to su.)
>
> NFS is our friend. :-)
NFS is equally unencrypted and spoofable. :)
> > Yes, I realize you assumed he was using a public internet site he has no
> > control over rather than an intranet server. But he didn't tell us that.
>
> Again, HTTP is so easily spoofable that even people that ask for help
> about bash can do it. If he's on an intranet so large as to require
> automated installation solutions, then there's a fairly good chance, I
> think, that there are other people on the network besides him. The
> moment you add another person into the equation, the network should
> now be assumed compromised; I may be being a bit pessimistic here, but
> we're talking about "Administrator" priviledges.
>
> > Its perfectly legitimate to warn him "this may not be what you want to
> > do", but there's no need to repeatedly flame him when you may not know
> > exactly what is going on.
Agreed. Let's keep the tone civil here. If you want to throw in with
an answer to a question please do, but I'd like to keep the discussions
civil and friendly, with the insults to a minimum.
-Sean
--
__________________________________________________________________
Sean Dague Mid-Hudson Valley
sean at dague dot net Linux Users Group
http://dague.net http://mhvlug.org
There is no silver bullet. Plus, werewolves make better neighbors
than zombies, and they tend to keep the vampire population down.
__________________________________________________________________
signature.asc
Description: Digital signature
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Dec 5 - Open Source Show and Tell Jan 2 - TBD Feb 6 - DBUS Mar 5 - Setting up a platform-independent home/small office network using Linux
