[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wanting opinions...



On Fri, Jun 17, 2005 at 01:04:54PM -0500, L. V. Lammert wrote:
> That's crap and you know it. OpenBSD:
> 
> 1) Has been AUDITED for every aspect of the kernel

The kernel has almost nothing to do with remote exploits unless you have
any services running in kernel land.

> 2) There has been **NO** hole in the kernel for eight years; Linux can't 
> even say EIGHT MONTHS! They had, like, 20 kernel exploits last year alone!

What you're talking about are exploits that involve buffer overflows or
similar that can be opened by user code.  See also my argument from
above.

It's inevitable that you're going to have user code that will cause
something to be insecure.  That throws your whole proactive security
mindset right out the window because of that one hole.

> Locked down has nothing to do with auditing - don't confuese them.

I'm not even touching auditing here; you did that, and I just ignored
it.

> Huh? It's been running fine for MANY years, .. guess you didn't bother to 
> come to my 'Running Apache Chroot'd' presentation?? There is absolutely NO 
> problem with chrooting Apache, once you understand what's going on.

Badly-written apps that people use often don't work well in a chroot
jail.  My method gets around that.

If your users complain, you're not a good sysadm as far as they're
concerned, and they'll be willing to throw you out of that position.

> The ONLY problems come with badly written apps.

I'm glad we agree here.  See also my argument about user code.

> Again, nobody's talking about locking down; we're talking about kernel 
> exploits. Ever hard of a rooted OpenBSD server? Nope. Ever hear of a rooted 
> Linux machine? Been there, seen that.

See also my argument about user code.

Case in point, allowing untrusted users on GNU/Linux machines is not the
way to go about things.  Use BSD for that.

If you have no need to allow untrusted users on your servers, go ahead
and run GNU/Linux.

-- 
Nathaniel Reindl
Fedora Core 3 kernel 2.6.11-1.27_FC3 on an AMD Opteron 240

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.