[Gllug] Code Tux

[Bruce Richardson]

On 7/20/01, 9:23:46 AM, Gordon Joly <gordon.joly at pobox.com> wrote 
regarding [Gllug] Code Tux:

> So, no holes in Linux then?

> :-)

Oh yes, but since Linux installations are so much more varied 
(different distributions, different versions, different security 
set-ups, wider choice of components/applications for any specific 
task) it's far harder to exploit vulnerabilities on the same wide 
scale.  Add to that the fact that it's simply easier to secure an 
open, modular freenix set-up than a monolithic, opaque proprietary system.

That said...
<rant>
If only the Linux distributions paid the same attention to security as 
the *BSD people.  Instead, they default to installing every imaginable 
service and turning them all on.  This is a MS-style "don't frighten 
the newbie, don't even give them the burden of having to tick an 'I 
want this service' box" approach and criminally stupid.  How many 
newbies are going to want talkd or fingerd, ffs, or even know what 
they are?

Taking the attitude that you'll lock it down if you know what you're 
doing just is not acceptable.

I also wouldn't mind seeing security becoming a little more of a 
priority in Linux kernel development.  FreeBSD has the Securelevel 
flags which allow you to set basic security measures in the kernel - 
set to level 2 and immutable/append-only flags cannot be changed, 
/dev/mem and /dev/kmem are locked, disk mount settings can't be 
tampered with and so on.  It's not perfect but it's another layer in 
the onion of security.
</rant>

I see there's talk in the Debian developers list of putting 
capabilities into the kernel by default.  About time.

-- 

Bruce





-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug