Message reordered to fix top posting. On Thu, 2005-01-13 at 15:44, O'Neill, Donald (US - Deerfield) wrote: > -----Original Message----- > From: fedora-list-bounces@xxxxxxxxxx > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Alexander Dalloz > Sent: Thursday, January 13, 2005 2:19 PM > To: For users of Fedora Core releases > Subject: Re: should i bother?? > > Am Do, den 13.01.2005 schrieb O'Neill, Donald (US - Deerfield) um 15:55: > > > As for the local root exploit, unless you have untrusted users with > > shell accounts on your machine, the 'local exploit' is a not a issue. > > No, no and no. Possible local root exploits are always, under each > circumstance a risk. There is no excuse not updating by installing a > bugfix kernel. > > Alexander > > Since this is a home user, I'll ponder your advice with a grain of salt. > If the user upgrades and everything works perfectly, then fine, it's a > worthy task. But with all the kernel upgrades causing problems in this > and other mailing lists, disruption of service (availability) is a > fundamental principle of security. In effect, you've just caused > something your trying to prevent. > > Each scenario is different, if this particular user has no open services > available on this box, the possibility of someone compromising the > system are insignificant. Properly configured security layers prevent > this from happening in the first place. > > In the enterprise environment, updates/changes break things very easily > and unless you don't care about service delivery, this would not be a > good idea.. Having your server updated with the latest security patches IS one of the layers of defense you talk about. And that is the one where some how a hacker finds a way to get standard user account access on your system. He then uses the exploit that you did not patch because you only relied on some external security measures. Hard and crunchy on the outside and soft and chewy on the inside. This is not a good security model. All it takes is one crack in that hard outer shell and your systems get owned. And if you don't practice all or as many of the best security practices all the time one day it will come back to bite you. Lets say this user at the moment does not have any open services or ports on their system so they ignore several security updates feeling pretty secure in their situation. A month or two down the road the user decides to enable http for a small web page they want to host. Shortly after opening the ports the users system is hacked due to a security bug in http and because they did not have their OS patched the hacker was able to gain root access very easily. Ooops, the user forgot about those security patches. By not trying to follow best practices all the time people back themselves into problems without ever realizing it. -- Scot L. Harris webid@xxxxxxxxxx Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"