Preston.F.Crow.Adv94@Alum.Dartmouth.ORG (Preston F. Crow Adv94):
> Jesse Pollard:
> >I hope this doesn't get into the kernel. This weakness is very very bad.
>
> That's why I made it a config option. In most cases, people won't
> turn it on; distributions certainly won't turn it on. However, for
> very limited situations, it can be quite useful.
Bad use of root should never be encouraged.
> In my case, we were switching from Solaris to Linux, and Solaris allowed
> suid scripts. We used a bunch of them, so all that had to be fixed before
> the Linux version could run. With suid scripts, it would have run
> immediately, and we could have fixed the security later.
And it has to be turned off all the time, and on every system until Sun
eliminates it.
> And while it's probably foolish, we don't really care much about security
> inside the firewall.
Famous last words...
> All the stuff we care about is on NFS, anyway, so
> there's not any real hope of security to begin with.
Obviously you don't want any security. Firewalls themselves do not support
security since most violations occur from:
1. accidents
2. poor training
3. lazyness (related to #1 and #2, but even carefull people get tired)
4. disgruntled employees
Outside attack can still be done. Don't depend on the firewall for all of
your security.
> I hope this does make it into the kernel. Most people will just leave
> it off.
>From a security standpoint, I DON'T want it there - this can be your patch
and only your patch. The potential for failure is too great that this get
turned on by accident.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:25 EST