[Gllug] Code Tux
Bruce Richardson
brichardson at lineone.net
Fri Jul 20 11:57:55 UTC 2001
On 7/20/01, 9:23:46 AM, Gordon Joly <gordon.joly at pobox.com> wrote
regarding [Gllug] Code Tux:
> So, no holes in Linux then?
> :-)
Oh yes, but since Linux installations are so much more varied
(different distributions, different versions, different security
set-ups, wider choice of components/applications for any specific
task) it's far harder to exploit vulnerabilities on the same wide
scale. Add to that the fact that it's simply easier to secure an
open, modular freenix set-up than a monolithic, opaque proprietary system.
That said...
<rant>
If only the Linux distributions paid the same attention to security as
the *BSD people. Instead, they default to installing every imaginable
service and turning them all on. This is a MS-style "don't frighten
the newbie, don't even give them the burden of having to tick an 'I
want this service' box" approach and criminally stupid. How many
newbies are going to want talkd or fingerd, ffs, or even know what
they are?
Taking the attitude that you'll lock it down if you know what you're
doing just is not acceptable.
I also wouldn't mind seeing security becoming a little more of a
priority in Linux kernel development. FreeBSD has the Securelevel
flags which allow you to set basic security measures in the kernel -
set to level 2 and immutable/append-only flags cannot be changed,
/dev/mem and /dev/kmem are locked, disk mount settings can't be
tampered with and so on. It's not perfect but it's another layer in
the onion of security.
</rant>
I see there's talk in the Debian developers list of putting
capabilities into the kernel by default. About time.
--
Bruce
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list