Hi Thanks for your answer. bofh a icrit : > You have to think carefully about the question you are asking. If > there are two known remote exploits, what do you think any studies > would show you? Less exploits? More exploits?
I mean what is the experience. > If more, wouldn't > that make it into the "known" exploits list, unless it's a private > study where nobody can get access to the results? If that's the case, > wouldn't we be going back to the "only two known remote holes" since > no one knows about the other stuff? This is just to have the taste of how good is the actual achievement of security in openbsd. > On your other question - if you hang a root shell off port 80, without > password requirements, what happens? Is that a security issue caused > by openbsd, or by someone ignorant of how to set up security? Now, Sorry but that is not intended to be done, only the standard webserver in the art of rules, thanks for focusing that this kind of mistakes would compromise, therefore let's assume none of that errors would be done. > you want to use php, a notoriously insecure piece of crap - what do > you think would happen? Sorry please tell me how to proceed then ? For example gmail has to be very good at security due to their number of customers, therefore if one needs to have this level of interactivity such as login, etc ... and keep security high, how to proceed then ? For the moment I intend to use php/Myadmin but should one help me to setup higher level of security I take. > And you seriously think chroot will keep a > determined person out? Lots of "how to break out of chroot" articlea > out there, though I have not looked into how well those work on recent > openbsd installs. > > In otherwords, you need to learn a lot more, and spend a lot of time > thinking about what you want to do and figuring out exactly what you > want to ask and/or do. Those are only simple questions, yet I only seek for some help if you would. Thanks. > On 4/26/09, Jean-Francois <jfsimon1...@gmail.com> wrote: >> Hi All, >> >> My question is in two parts. >> >> First considering the default install, assuming that one box should be >> only used for exapample as a firewall, how good is the security level ? >> I mean I know there are only 2 remote holes in 10 years, but my qustion >> is do we have any experience about the level of security such as studies >> that demonstrated the failure to break into the default system for >> example ? or any other experience in regards with that ? >> >> On the other side, now if we assume that one box should be used to host >> a website, there are ways that the code such as php + mysql will be >> breakable into. My question is that considering the chroot, can we >> consider that the supposed hacker can never evade from the chroot by any >> mean, even after he will be able to upload and execute files directly on >> the web server ? >> >> Thank you a lot for your clarifications, >> >> Kind regards >> >> J-F
