Scot L. Harris wrote:
I always install kernel updates when they're released, mostly for the reasons above. I keep at least one previous kernel installed in case it breaks something, but so far it hasn't. While it's always possible that in closing one security hole another is opened, I trust the kernel developers to take every reasonable precaution not to let this happen. Also, you're better off closing older and better known holes than newer unknown ones, all else being equal.Message reordered to fix top posting.
On Thu, 2005-01-13 at 15:44, O'Neill, Donald (US - Deerfield) wrote:
-----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Alexander Dalloz Sent: Thursday, January 13, 2005 2:19 PM To: For users of Fedora Core releases Subject: Re: should i bother??
Am Do, den 13.01.2005 schrieb O'Neill, Donald (US - Deerfield) um 15:55:
As for the local root exploit, unless you have untrusted users with shell accounts on your machine, the 'local exploit' is a not a issue.
No, no and no. Possible local root exploits are always, under each circumstance a risk. There is no excuse not updating by installing a bugfix kernel.
Alexander
Since this is a home user, I'll ponder your advice with a grain of salt.
If the user upgrades and everything works perfectly, then fine, it's a
worthy task. But with all the kernel upgrades causing problems in this
and other mailing lists, disruption of service (availability) is a
fundamental principle of security. In effect, you've just caused
something your trying to prevent.
Each scenario is different, if this particular user has no open services
available on this box, the possibility of someone compromising the
system are insignificant. Properly configured security layers prevent
this from happening in the first place.
In the enterprise environment, updates/changes break things very easily
and unless you don't care about service delivery, this would not be a
good idea..
Having your server updated with the latest security patches IS one of
the layers of defense you talk about. And that is the one where some
how a hacker finds a way to get standard user account access on your
system. He then uses the exploit that you did not patch because you
only relied on some external security measures.
Hard and crunchy on the outside and soft and chewy on the inside. This is not a good security model. All it takes is one crack in that hard outer shell and your systems get owned.
And if you don't practice all or as many of the best security practices all the time one day it will come back to bite you. Lets say this user at the moment does not have any open services or ports on their system so they ignore several security updates feeling pretty secure in their situation. A month or two down the road the user decides to enable http for a small web page they want to host. Shortly after opening the ports the users system is hacked due to a security bug in http and because they did not have their OS patched the hacker was able to gain root access very easily. Ooops, the user forgot about those security patches. By not trying to follow best practices all the time people back themselves into problems without ever realizing it.
Also, the power off bug mentioned on this forum a few weeks ago has apparently been fixed. It took me a while to notice, so unimportant is that feature to me, but the laptop users were understandably annoyed.
-- David Liguori
