[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Disabling everything

To: securedistros@humbolt.geo.uu.nl
Subject: Re: Disabling everything
From: Bill Cheswick <ches@bell-labs.com>
Date: Mon, 13 Sep 1999 07:48:12 -0400
Cc: "Dr. Joel M. Hoffman" <joel@EXC.COM>
In-Reply-To: <37DBD358.48E4B945@pobox.sk>
References: <m11P3A9-000369C@jmh>
Reply-To: securedistros@humbolt.geo.uu.nl
Sender: owner-securedistros@humbolt.geo.uu.nl

>> Truth is, I'm getting a bit worried about the general approach to
>> security, which is becoming "disable everything from the outside."  I
>> think we should focus on making these remote protocols safe, rather
>> than disabling them.

A noble effort, but mostly it has proved nearly impossible.  It is simply
very hard to write bug-free, and therefore secure, code.  Most people fail,
including Very Smart Security people.

We have three choices here:  don't run the server, run the server jailed
in a chroot environment (and, I hope, with other capabilities restricted),
or let the server run without protection, and hope the multiuser system
can defend itself.

I have given up on this last option.  People often write servers running as
root, when the server doesn't need it.  Even if they don't, I've decided that
it is a lost cause keeping a normal user from becoming root.  Most systems
generally have 50-70 programs setuid to root, and that's at least an order
of magnitude too many.

Therefore, I head them off at the network services pass.  My hosts typically
run ssh, ntp, and nothing else.

ches

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

References:
- Re: Disabling everything
  - From: Matej Kovac <matej@pobox.sk>

Prev by Date: Re: Disabling everything
Prev by thread: Re: Disabling everything
Index(es):
- Date
- Thread