More reasons to like OpenBSD

[Will H. Backman]

Just a note to the OpenBSD community:
I have been helping a friend clean up after a security incident with a
PHP web app that hadn't been patched on a Linux server.  I run the same
app on OpenBSD, and I worry a lot less.  I still patch my PHP apps
because it would be stupid to assume that OpenBSD would always protect
me, but looking at how the exploit happened, I see that OpenBSD's apache
chroot would have prevented that particular attack.
So:
* Developers: Thanks for the proactive security!
* Users: Put the effort into making your stuff work in the chroot.

--
Will Backman - Network Administrator
Coastal Enterprises, Inc.
http://www.ceimaine.org

Re: More reasons to like OpenBSD

[Paul de Weerd]

On Wed, Feb 22, 2006 at 02:11:26PM -0500, Will H. Backman wrote:
| Just a note to the OpenBSD community:
| I have been helping a friend clean up after a security incident with a
| PHP web app that hadn't been patched on a Linux server.  I run the same
| app on OpenBSD, and I worry a lot less.  I still patch my PHP apps
| because it would be stupid to assume that OpenBSD would always protect
| me, but looking at how the exploit happened, I see that OpenBSD's apache
| chroot would have prevented that particular attack.
| So:
| * Developers: Thanks for the proactive security!
| * Users: Put the effort into making your stuff work in the chroot.

Also :

* Developers: Thanks for giving us pf :

pass in proto tcp from any to any port 80 keep state
...
block out log proto { tcp, udp } all user www

Sure, upload your udp.pl... Too bad you have only limited internet
access (there's some pass-rules lateron for specific users).

Cheers,

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]