[Gllug] Code Tux

Bruce Richardson brichardson at lineone.net
Fri Jul 20 16:24:51 UTC 2001 

On 7/20/01, 12:15:37 PM, home at alexhudson.com wrote regarding Re: 
[Gllug] Code Tux:


> On Fri, Jul 20, 2001 at 11:57:55AM +0000, Bruce Richardson wrote:
> > If only the Linux distributions paid the same attention to security as
> > the *BSD people.

> I think it comes down to this: bsd is a marginal operating system used 
by
> sysadmins and geeks, noone else. If Linux was setup as tightly as (for
> example) OpenBSD, noone would use it at the levels we're currently 
seeing.

Very true but it doesn't excuse the default installation of talkd, 
fingerd etc.  Several of the distributions now have impressive GUI 
installation routines and I don't see why they couldn't include an 
"Optional Services" screen with a "Tick here to enable" box and a 
"Click here to find out more" button.

Some of these things are very simple.  Why enable the portmapper if 
you haven't installed anything that uses it?  Debian, for example, 
includes the portmapper as part of the netbase package.  It's a core 
package (inetd, ping, ipchains etc) so it always goes on - but this 
means portmapper is always on by default.  This is just stupid and 
completely unnecessary when a simple option in debconf could allow you 
to choose (for example) between always having it on, never having it 
on or having it enabled should any package that needs it ever be 
installed.

Debian's package management system is clever enough to spot when you 
are installing a package complex enough to need the full debconf 
package, rather than debconf-tiny, to manage its options - so it 
installs debconf along with the requested package.  It's smart enough 
to remember whether you want inetd options to be automatically 
transferred to xinetd or if you want to do it manually, and does the 
appropriate thing each time you install an inetd/xinetd activated 
service.  If it can do that, it can damn well leave the portmapper 
turned off until you actually install knfsd or whatever.

That isn't locking down the system down beyond usability, that's a 
simple, sensible configuration.  If the Debian maintainers can't be 
bothered with that kind of simple precaution they have no business 
being so damned elitist (says Bruce the Debian bigot).

After 4 years of using Linux I now have a checklist of things that 
should be secured.  The people who design the distributions mostly 
have much more experience and a rather deeper understanding of Linux 
configuration and security - why they don't make use of this knowledge 
sensibly is beyond me.  I have a set of cfengine config scripts which 
can set one of several default security levels - why can't they do 
something similar with their tool of choice?  Why not make Linuxconf 
do something useful, for a change? (As opposed to randomly unsetting 
your preferences, which is how I remember it's behaviour).

Last time I looked at SuSE they did at least offer a choice of 
security levels - though this turned out to be more cosmetic than 
actual.  More of a security blanket than a security option.

It all reeks of the "If you don't know enough to secure your own 
system you deserve what you get" attitude.

-- 

Bruce






-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list