Re: should i bother??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scot L. Harris wrote: 
Message reordered to fix top posting.

On Thu, 2005-01-13 at 15:44, O'Neill, Donald (US - Deerfield) wrote:


-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Alexander Dalloz
Sent: Thursday, January 13, 2005 2:19 PM
To: For users of Fedora Core releases
Subject: Re: should i bother??

Am Do, den 13.01.2005 schrieb O'Neill, Donald (US - Deerfield) um 15:55:


As for the local root exploit, unless you have untrusted users with
shell accounts on your machine, the 'local exploit' is a not a issue.


No, no and no. Possible local root exploits are always, under each
circumstance a risk. There is no excuse not updating by installing a
bugfix kernel.

Alexander




Since this is a home user, I'll ponder your advice with a grain of salt.
If the user upgrades and everything works perfectly, then fine, it's a
worthy task. But with all the kernel upgrades causing problems in this
and other mailing lists, disruption of service (availability) is a
fundamental principle of security. In effect, you've just caused
something your trying to prevent.

Each scenario is different, if this particular user has no open services
available on this box, the possibility of someone compromising the
system are insignificant. Properly configured security layers prevent
this from happening in the first place.

In the enterprise environment, updates/changes break things very easily
and unless you don't care about service delivery, this would not be a
good idea..


Having your server updated with the latest security patches IS one of
the layers of defense you talk about. And that is the one where some
how a hacker finds a way to get standard user account access on your
system. He then uses the exploit that you did not patch because you
only relied on some external security measures. 

Hard and crunchy on the outside and soft and chewy on the inside.  This
is not a good security model.  All it takes is one crack in that hard
outer shell and your systems get owned.

And if you don't practice all or as many of the best security practices
all the time one day it will come back to bite you.  Lets say this user
at the moment does not have any open services or ports on their system
so they ignore several security updates feeling pretty secure in their
situation.  A month or two down the road the user decides to enable http
for a small web page they want to host.  Shortly after opening the ports
the users system is hacked due to a security bug in http and because
they did not have their OS patched the hacker was able to gain root
access very easily.  Ooops, the user forgot about those security
patches.  By not trying to follow best practices all the time people
back themselves into problems without ever realizing it.


I always install kernel updates when they're released, mostly for the reasons above. I keep at least one previous kernel installed in case it breaks something, but so far it hasn't. While it's always possible that in closing one security hole another is opened, I trust the kernel developers to take every reasonable precaution not to let this happen. Also, you're better off closing older and better known holes than newer unknown ones, all else being equal. 

Also, the power off bug mentioned on this forum a few weeks ago has apparently been fixed.  It took me a while to notice, so unimportant is that feature to me, but the laptop users were understandably annoyed.

--
David Liguori

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux