On Tue, Mar 07, 2006 at 19:08:11 -0600, Jeff Vian <jvian10@xxxxxxxxxxx> wrote: > On Mon, 2006-03-06 at 22:37 -0600, Bruno Wolff III wrote: > > On Mon, Mar 06, 2006 at 18:59:49 -0500, > > "Michael H. Warfield" <mhw@xxxxxxxxxxxx> wrote: > > > > > > In the security business, we have and expression for people like you. > > > Those people who use the "install everything" button just because they > > > "might" want something in the future (and then forget they installed it, > > > if they even realize they installed it to begin with). > > > > > > We dub thee "owned". > > > > There is a big difference between installing everything and running every > > every service that you have installed. > > > True, but having it installed makes it available to the attacker if the > first line of defense gets breached. If it is not installed then it > cannot be used. That is why the "owned" moniker applies. Except that the vast majority of these extra packages are worthless for escalating privileges. You need something setuid or linkable that has some byte pattern you need. Setuid binaries should be protected by SELinux. There are some risks from installing extra software, but it is more in the area of plugins and apache modules. > Not limited to just the modules. A recent exploit I became aware of > results from php code that allowed global variables and URL injection to > access the system. A friend's server became a spam bot for the > attacker. Even though the mail server did not allow relaying, they were > able to send it from the local host and got around that restriction.. PHP is covered under apache modules, though it is possible to run it as a CGI program. The mail server is likely irrelevant. If they can run arbitrary code in PHP, they can send out mail without using an installed mail server. However, the config of the installed mail server might be useful for getting past blocks put in place by the user's ISP. > Any path is a possible weakness, and one weakness leads to others. If > the door is not there (package not installed) it cannot be opened. Security isn't about absolutes. The chances of most add on packages being a security concern if they aren't used are very low. It can easily be the case that for some people the convenience of having packages preinstalled is worth taking the small extra risk of some package they didn't really need being used to escalate privilege after a partial break.
