[Bleat bleat.. "Don't install the compiler it makes it a "little bit safer"]
[Bleat bleat "No it doesn't make a difference"]
Mooseapples. Both herds are wrong. *Not* having the compiler makes the system
*Less* secure, because it's more of a PITA for the admin to apply
fixes. Doesn't
matter
On 8/24/06, Nick Shank <[EMAIL PROTECTED]> wrote:
...
Regardless, I was simply asking if 1) The possibility of a user who has
access to the system had been thought of, and 2) Would it matter.
Umm, hasn't this whole discussion been about the situation when the
user has access? If they don't ha
On Thu, Aug 24, 2006 at 12:38:26PM -0700, Nick Shank wrote:
> Through all of this, and maybe I've just missed it, what happens when a
> user tries to make spl01t.c?
stop it, please, you're killing me.
There is nothing special about your machine that makes binaries compiled
somewhere else not be
Scott Plumlee wrote:
NetNeanderthal wrote:
On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote:
Removing compiler doesn't bring much more security to your system,
but it
can make it a little bit safer. Very little bit, but safer. I mean,
if your
system has local root hole, for example, in this
David Terrell wrote:
On Thu, Aug 24, 2006 at 12:38:26PM -0700, Nick Shank wrote:
Through all of this, and maybe I've just missed it, what happens when a
user tries to make spl01t.c?
stop it, please, you're killing me.
There is nothing special about your machine that makes binaries com
NetNeanderthal wrote:
On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote:
Removing compiler doesn't bring much more security to your system, but it
can make it a little bit safer. Very little bit, but safer. I mean, if
your
system has local root hole, for example, in this case cracker should
Hi Tomas,
Tomas wrote on Thu, Aug 24, 2006 at 09:18:26AM +0300:
> Han Boetes wrote:
>> Tomas wrote:
> Thank you very much, I think that's the way I will do it :)
Then do it very carefully!
I see at least one trap you might stumble into...
> It's quicker then compilling all the release...
Proba
On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote:
Removing compiler doesn't bring much more security to your system, but it
can make it a little bit safer. Very little bit, but safer. I mean, if your
system has local root hole, for example, in this case cracker should
compile his sploit someth
"Stephan A. Rickauer" <[EMAIL PROTECTED]> wrote:
> People from time to time say they don't want to have a compiler
> installed on a productive system due to security issues. I don't
> understand this. Isn't is too late anyway, if someone's already able to
> make use of the compiler?
Yes, its too
Anton Karpov wrote:
> Removing compiler doesn't bring much more security to your system, but
> it can make it a little bit safer. Very little bit, but safer. I mean,
> if your system has local root hole, for example, in this case cracker
> should compile his sploit somethere outside your box, and t
On 8/24/06, Stephan A. Rickauer <[EMAIL PROTECTED]> wrote:
People from time to time say they don't want to have a compiler
installed on a productive system due to security issues. I don't
understand this. Isn't is too late anyway, if someone's already able to
make use of the compiler?
I 'll st
Anton Karpov wrote:
2006/8/24, Stephan A. Rickauer <[EMAIL PROTECTED]>:
People from time to time say they don't want to have a compiler
installed on a productive system due to security issues. I don't
understand this. Isn't is too late anyway, if someone's already able to
make use of the compile
2006/8/24, Stephan A. Rickauer <[EMAIL PROTECTED]>:
>
> People from time to time say they don't want to have a compiler
> installed on a productive system due to security issues. I don't
> understand this. Isn't is too late anyway, if someone's already able to
> make use of the compiler?
>
> --
>
Well, given the prevalance of scripting languages and such, it seems
like a false sense of security.
And frankly, why can't the cracker that already knows what OS he's
working on, not just supply
a pre-compiled binary...
But whatever works for people.
Han Boetes wrote:
Tomas wrote:
Yes
Tomas wrote:
> Yes it's too late, but why to let a hacker to compile his exploits on
> your system and to go compromising other PCs (from your DMZ or from
> internet, it doesn't matter).
If a hacker is on your system, he'll also manage to install the compiler
himself before using it.
Stephan
[de
Tomas wrote:
> Yes it's too late, but why to let a hacker to compile his
> exploits on your system and to go compromising other PCs (from
> your DMZ or from internet, it doesn't matter).
Exactly, all compilers should be forbidden!
# Han
Yes it's too late, but why to let a hacker to compile his exploits on
your system and to go compromising other PCs (from your DMZ or from
internet, it doesn't matter).
Stephan A. Rickauer wrote:
People from time to time say they don't want to have a compiler
installed on a productive system du
People from time to time say they don't want to have a compiler
installed on a productive system due to security issues. I don't
understand this. Isn't is too late anyway, if someone's already able to
make use of the compiler?
--
Stephan A. Rickauer
Tomas wrote:
> How can I make sure that httpd was patched? Is it enought to see
> version of mod_rewrite.c (it should be 1.24.6.1)?
Yes, that should suffice.
# Han
Thank you very much, I think that's the way I will do it :) It's quicker
then compilling all the release... And if it'll proove to be working :)
it'll be the best way to update things in openbsd :) Can I ask you one
more thing? How can I make sure that httpd was patched? Is it enought to
see versi
Tomas wrote:
> I was wondering is there any way to patch my httpd server without a
> compiller? I don't want to add a compiller on my production web server,
> but I need to patch httpd (security fix 004). I use OpenBSD 3.9.
cd /usr/src/usr.sbin/httpd
cvs up
make -f Makefile.bsd-wrapper obj clean
On 8/24/06, Greg Thomas <[EMAIL PROTECTED]> wrote:
He was responding to the list. Why are you taking it so personally?
Even if he was directing his rant directly at you who cares, are you
Buddha?
Who cares? You do obviously. Nick's points are fine, but he fired his
rant in the wrong direction.
On 8/23/06, Juha Saarinen <[EMAIL PROTECTED]> wrote:
On 8/23/06, Nick Holland <[EMAIL PROTECTED]> wrote:
> THEN PUT THE COMPILER ON THE COMPUTER IN QUESTION! Sheesh.
Hmm? What are you ranting about?
He's ranting about people naively leaving compilers off of computers
in the interest of making
On 8/23/06, Nick Holland <[EMAIL PROTECTED]> wrote:
THEN PUT THE COMPILER ON THE COMPUTER IN QUESTION! Sheesh.
Hmm? What are you ranting about?
"Hi, I just shot myself in the foot, and it really hurts. I don't think
it should be that way" uh..then watch where you store your bullets.
I se
Juha Saarinen wrote:
On 8/23/06, Nico Meijer <[EMAIL PROTECTED]> wrote:
Set up another, non-production, box with 3.9 and build -stable on that.
Follow `man release` and read the upgrade guide on how to extract the
sets.
Seems a slightly cumbersome way to deal with security issues which may
be
Thanks all for advises,
I will do Nico's way :) And when I will have more free time I will try
binpatch.
On 8/23/06, Rogier Krieger <[EMAIL PROTECTED]> wrote:
An alternative may be binpatch (see the archives), but I haven't tried
that piece of software yet. IIRC, quite a few people are happy with
that, so it may be worth your while.
Yeah, binpatch works nicely.
--
Juha
Hi Juha,
> Seems a slightly cumbersome way to deal with security issues which may
> be urgent, but perhaps that's just me?
Maybe. ;-)
I find it easier than reading different patch-instructions and updating
several servers.
I have one procedure to run. After my `make release` I distribute the
se
On 8/23/06, Juha Saarinen <[EMAIL PROTECTED]> wrote:
On 8/23/06, Nico Meijer <[EMAIL PROTECTED]> wrote:
> Set up another, non-production, box with 3.9 and build -stable on that.
Seems a slightly cumbersome way to deal with security issues which may
be urgent, but perhaps that's just me?
Buil
1
> To: Nico Meijer
> Cc: OpenBSD Misc list
> Subject: Re: How to update httpd without a compiller
>
> On 8/23/06, Nico Meijer <[EMAIL PROTECTED]> wrote:
> > Set up another, non-production, box with 3.9 and build
> -stable on that.
> > Follow `man release` and
On 8/23/06, Nico Meijer <[EMAIL PROTECTED]> wrote:
Set up another, non-production, box with 3.9 and build -stable on that.
Follow `man release` and read the upgrade guide on how to extract the
sets.
Seems a slightly cumbersome way to deal with security issues which may
be urgent, but perhaps th
Hi Tomas,
> I was wondering is there any way to patch my httpd server without a
> compiller? I don't want to add a compiller on my production web server,
> but I need to patch httpd (security fix 004). I use OpenBSD 3.9.
Set up another, non-production, box with 3.9 and build -stable on that.
Fo
Hi list,
I was wondering is there any way to patch my httpd server without a
compiller? I don't want to add a compiller on my production web server,
but I need to patch httpd (security fix 004). I use OpenBSD 3.9.
33 matches
Mail list logo