Steffen Kluge wrote:
On Tue, 2005-11-29 at 14:13 +0800, John Summerfied wrote:
If there's a kernel update fixing a security problem only exploitable
with local access, and I control the only account with local access,
then I don't need it.
Are you sure? If there's a bug in httpd that allows an attacker to run
code as user apache, then the kernel bug may become quite useful to get
root.
I had some difficulty accessing material outside of /var/www as user
Apache, on WBEL. Try it.
Why run with a known vulnerability, just because one isn't smart enough
to think of an attack vector? Defense in depth...
Because the risk of breaking things, especially with Fedora, is greater.
I have seen two successful attacks against Linux systems in the time
since I deployed my first Linux server, running RHL 4.0.
Both were on account of weak passwords.
OTOH I cannot count the number of broken systems I've seen when upgrades
failed, when upgrades succeeded but their content was broken, when
hardware failed.
There was one near miss, where I applied an SSL upgrade a week before
somone tested me for its lack.
So there you are, no penetrations at all on account of software
vulnerabilities in umpteen years.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
