Debian 2.2 "Has Major Security Issues"? UPDATED

A reader writes "Check the latest Kurt's Closet; he points to some interesting flaws on Debian 2.2, from a security point of view. " Kurt's Closet is part of SecurityPortal - he's got some good points, but it's also good to remember, as the article points out, that nothing is automagically secure. Always do testing on your own.Update: 08/30 01:44 PM by H :Thanks to Ben Collins, Debian guy, for sending a response which I've included below.Update: 08/30 04:32 PM by H :Kurt has written an update that will be appearing on the site soon. In the meantime, he also sent me the text - read below for more. From Ben Collins, To Kurt Seifred:

If you would have bothered to check the changelogs for the packages you noted as having "root hacks in them", you would have noticed that every daemon you pointed out is not vulnerbale to the holes you point out. Here is a list:

apache (1.3.9-13) frozen unstable; urgency=medium

* [RC, security] Backported security fix for Cross Site Scripting issue (CERT Advisory CA-2000-02) from apache 1.3.11 patch.
* Added default charset iso-8859-1 to initial configs.
* [RC, critical] Perl dependency reordered to "perl5 | perl", closes: #61421, #62427, #60575.
* Postinst no longer complains on missing /etc/aliases, closes: #60575.
* Cron script detects logfile lines with whitespace, closes: #59995.
* Fixed apxs filename edited when enabling modules (missing /g in rules sed); suppressed linking to -ldbm, closes: #53172.
* The apxs in apache-dev no longer needs apache binary, closes: #47221.
* Perms registered for suexec changed to 4755 from 4555, closes: #60147.
* Added text from beleagured Debian Webmasters to intro.html, making it clear the project is not responsible for installations, closes: #61414. * LICENSE file of manual included since 1.3.9-1, closes: #42940, #60994, #60995.

-- Johnie Ingram Sun, 16 Apr 2000 08:29:56 -0500

* Use setproctitle(%s,foo) in main.c, lamagra@DIGIBEL.ORG advisory.

-- Johnie Ingram Wed, 5 Jul 2000 18:50:07 -0500 As for netscape 4.75, it is *already* available in our potato-proposed-updates directory. Now I suggest you change the utter bullshit you have on your review to reflect the real information, and next time do some more digging before you make false accusations and spread misinformation like this.

From Kurt

Well, it looks like I made some significant mistakes in this article. I'm not a long time Debian user, so I am somewhat unfamiliar with it. It appears Debian backports fixes, and that Apache 1.3.9 and ProFTPD 1.2.10pre10 are not subject to the various vulnerabilities I mentioned. Unfortunately I did not read all the changelogs in question (in /usr/share/doc/*/). If I had, I would have noticed this.

Folks, I assumed (assuming is bad, I know) that Debian does updates like most distro's. I expected that if Apache 1.3.12 comes out with bugfixes, that they would issue a 1.3.12 package, not backport the changes to 1.3.9. I've also been writing a weekly Linux security digest for several months now, and while there have been Debian advisories regarding Potato, most of them mention the changes being merged in, rather than warranting a new release. I should have noticed that.

While RBL's failure isn't Debian's fault, my point is that they go to great lengths in some areas to make the distro "more secure", but are missing other very key elements.

I officially apologize to the Debian community, and am glad to have been made aware of an important point: Debian backports fixes, and it is necessary to read all the changelog files in question.

-- Kurt

CNN

Check out the cnn article here.

Untrue

...remember, as the article points out, that nothing is automagically secure.

OpenBSD - Three years without a remote hole in the default install.

Re:Untrue

[santeri]

LOL! Actually I was just going to install OpenBSD as my new gateway (using FreeBSD as of now, but the change to SPARC platform makes changing the OS convenient, too). Debian is a super dandy workstation or server OS (I have four machines running it; 2xwoody, 2xpotato), but I came to same conclusion as the author regarding some of the issues and won't bother using it connected straight to public networks any more.

Not that Debian couldn't be secured with a little extra work, but I prefer to be a _little_ lazy with my installs.

______________

Re:Untrue

[scon31]

Obviously in your case open source doesn't equate with an open mind. Plenty of people install and use it on a daily basis. Most of our servers and firewalls run on it and I sleep a little easier as a result.

Try installing it yourself - you'll save hours over trying to tie down any linux distro. Same for solaris too :-)

Re:Untrue

[zyklone]

Which is completely wrong since the proftpd shipped with Debian is patched.
You must have been to busy trolling to get a clue.

Re:Untrue

[DJ+Wipeout]

The day will come when OpenBSD's default install will just be /bin/cat. Mark my words.

Re:Untrue

[kijin]

read the retraction dumbass

Security patches were applied on many packages

[Victor+Ng]

If anyone actually BOTHERED to look at the CHANGELOG of packages, security patches have been backported.

Ex: Apache:

http://cgi.debian.org/cg i-bin/get-changelog?package=apache

IOTW - the security may not be perfect still, but let's not get carried away just because we're too damn lazy to read.

Re:Security patches were applied on many packages

[zoefff]

So if I want to know the security level of each and every program in Debian, I have to read night and day and have to know which patch adresses which flaw? It's ok (VERY ok) that those pathes are included, but it's also confusing (very confusing I might say

Re:Security patches were applied on many packages

[puetzk]

no, you have to read the bugtrack system, which has a note to the effect of apache (1.3.9-13) frozen unstable; urgency=medium * [RC, security] Backported security fix for Cross Site Scripting issue (CERT Advisory CA-2000-02) from apache 1.3.11 patch If you knew about the bug, you should probably watch the bugtrack system to know that a fix is avaiable. If you didn't know, they you're none the worse off for the fact that it was fixed and apt-get upgrade probably took care of you. Admittedly, I'd like to see all bugs opened [RC,security] get posted to the security page too...

Re:Security patches were applied on many packages

[Victor+Ng]

Hold on a second, you're a sys admin who installs packages _without_ checking the changelogs? You're telling me that you blindly upgrade packages without checking on the impact of said packages on production systems?

Clearly you are on the super heated smack.

Re:Security patches were applied on many packages

[sjames]

Creating their own scheme just confuses everyone. If they have patched apache so it is the equivalent of 1.3.12, then call it that, so that the sys admin knows that both the Solaris box and debian box are up to date.

But they didn't do that! They just backported the security and bug related fixes. For new features, you'll need the real 2.3.12 release when it's available (or install it from tar.gz and take your chances).

Re:Security patches were applied on many packages

No, I'm saying it is easier if everyone uses a consistent versioning scheme as set out by the author of the program.

It is a waste of precious time if I have to looking around for change file or other documentation to discover that the Apache 1.3.9 on debian is actually what everyone else in the universe is calling 1.3.12

Besides, if I have read the change log from the Apache group, why should I then have to read each distribution or OS version of that change log? (it is reasons like this debian stupidity that company's standardize on MS, while it may not be optimal at least with MS you don't have to deal with distribution A doing things there own way)

Finally, yes there are a lot of things that a sys admin should ideally do. And if you can that is great, but out in the real world more often than not there are not enough hours in the day to do everything that must be done. So dealing with a distribution that makes life more difficult (like debian appears to do) it not worth it. I had intended to try out Debian, but not now. Life is too short already without dealing with meaningless version numbers.

Re:Security patches were applied on many packages

[mike_markley]

Uhm. Actually, the features are still 1.3.9. It's just got the security fixes backported. So really, it's not 1.3.12 at all and other than the security problems it works exactly like 1.3.9. It's 1.3.9 without the hole. Get it?

Re:Home directory permissions

[wangi]

don't agree that user home directories should not be world-readable by default. That just encourages a false sense of security, giving users the idea that they can keep files 'secure' using permissions. If users want sensitive information kept private they need to encrypt it.

So lets just ditch permissions then? On a secure system permissions are a good method of 'keeping things private'. However if the system isn't secure (everyone and their dog knows the root password) then you've got bigger concerns...

MS vs Open Source

why is it that when there's a Microsoft security issue, the title of the story is always a statement while when someone posts an article about security problems in linux or other major open source applications, it's always a question or doubting statement?

Re:MS vs Open Source

[shallot]

Because we all know Debian owns you d;o)

Re:MS vs Open Source

[Leto2]

Because
a) editors at Slashdot are extremely biased and by no means objective whatsoever and
b) this time they were sort of right, because the article does not talk too much about real security issues but instead blabbers about Debian's Exim using RBL not completely right or something.

Granted, if Debian does all the things Kurt proposes, Debian will get a lot better, but not neccessarily a (more) secure distro.

Ivo

Re:MS vs Open Source

[Black+Parrot]

> it's always a question or doubting statement?

Needs demoronizer?

--

Re:MS vs Open Source

[WWWWolf]

(Oh dear God, another MS FUD Campaign Participator... [1])

My own theory: This happens because Microsoft products are known to resemble Swiss cheese (holes, not the taste) even when the experts are maintaining them, while most Linux dists come with at least some sort of security built in (ie, if you're not an idiot, it should be fairly secure).

Point two: Article writers, as you may have noticed, tend to be a bit biased. =)

[1] I'm referring to the interesting tendency that messages like this appear very very often in Slashdot - it may (if we're paranoid enough) sound like an astroturf-style FUD campaign. =)

Re:MS vs Open Source

[ictatha]

Is that a rhetorical question?

Re:MS vs Open Source

[Sygnus]

Actually, it says

There are also a number of other packages with security flaws and no updates available yet. Xchat, for example, has a well-known hole. Red Hat and Mandrake have issued updates; nothing from Debian yet.

Non-free packages, I'm sure.

X-Chat is GPL.

Re:MS vs Open Source

[WWWWolf]

"Dogma"? Since when Slashdot has been a religious authority? =)

The point: They All Suck. But Linux sucks less, at least based on my experiences. =)

It's not a secret that both have security holes; however, with open source systems, the security-related bugs tend to get fixed in finite time.

What is "dogma", then?

Dogma \Dog"ma\, n.; pl. E. Dogmas, L. Dogmata. [L. dogma, Gr. ?, pl. ?, fr. ? to think, seem, appear; akin to L. decet it is becoming. Cf. Decent. ]

1. That which is held as an opinion; a tenet; a doctrine.

2. A formally stated and authoritatively settled doctrine; a definite, established, and authoritative tenet.

3. A doctrinal notion asserted without regard to evidence or truth; an arbitrary dictum.

Syn: tenet; opinion; proposition; doctrine.

(Webster's Revised Unabridged Dictionary, 1913)

So: Dogma is an opinion handed down from above. Call me paranoid, but using "dogma" in this case smells of FUD-spreading - "The Linux Folks are Believers, and Taco is their Pope". Believe me, I have seen a lot of ugly MS trolls telling us what they think of "Linux Believers"... and I'm bored.

The fact, with or without opinions, is that Windows has showed itself to be less secure, or that security bugs have been fixed later than in case of open source projects (need I remind of OOB?).

Bah, get the hence, AC... =)

Re:MS vs Open Source

[Trepalium]

You want sendmail. Easy enough.

apt-get install sendmail

Done.

Secure by default

[jjr]

Linux distros need to start making changes to there default install to a secure install. So people if people wants to use a service they have to turn on themselves.

Re:Secure by default

[psxndc]

I belive this is pronounced: "OpenBSD"

-psxndc

Re:Secure by default

[mariab]

Any machine is only as secure as the administrator makes it.

imho there are a lot of things in the article that aren't the result of Debian being "bad" they are the result of incompetence or of overlooking obvious details.

ok, so maybe we should do what this poster suggests, but if you can't handle doing basic security-wise configuration, you shouldn't be setting up a machine that needs it. Sometimes you just have to take responsibility for things, you can't just say "suchandsuch should have done thingummybob".

Re:Secure by default

[Nexx]

imho there are a lot of things in the article that aren't the result of Debian being "bad" they are the result of incompetence or of overlooking obvious details.

I agree completely. You have to take a proactive measure to security, regardless of what system you run, be it Linux, *BSD, Winblows, whatever. Then, someone will counter, "but I have to install N machines, same (or very similar) configuration for the foo application!".

Well, son, you have several choices.

1. You can manually configure each and every box. Of course, this is the stupidist way of doing so, but guaranteed to get you more OT. Then again, I have not known a competent SysAdmin who likes work like this.
2. You can build your own distro. But then, do you really want to do this?
3. Build your own installation scripts. Not only will this save you time by being able to hand this installation process over to a kid getting minimum wage, but now you get to do something a little more challenging than building a box and making it secure. At the very least, you can build one box properly, install a skeleton OS on the others, and just do a batch copy between the boxen.

I did this at one of my clients' sites, where we had over 600 SPARC boxen. Of course, took it one step further, by providing an install server, but then, this was also in a very protected subnet.

Do it only once, but for Seldon's sake, do it right!

--

Re:Secure by default

[Stary]

Really, let's compare a few things here:

We like to talk about how linux will get stronger in the desktop market. Well I'd say that depends on the attitude. It's gonna need some help. Imagine the roar on /. if MS released a Windows Millenium Super Extra Special Edition, that defaulted to an install with open services on ports 1-1024.

The only way a sysadmin is gonna be sure he knows about his system is to have everything off by default. Rather than a "hey I found out apache was running and turned it off, i wonder what else may be running", I'd like a "I turned on service1 and service2, because i needed them and nothing else". There is, simply put, no reason to make anything that's not secure by default.

Of course it's your responsibility, but if you dont sometimes say "suchandsuch should have done thingummybob", then you can take that as far as you like. It suddenly becomes your responsibility to know everythign about every program installed on your box. That's not an option if you want linux to gain a wide use as a desktop.

As a final note, if you replace "suchandsuch" in your sentance with Microsoft, then you have a sentance that lots and lots of slashdotters use a lot, especially when it comes to security.

Re:Secure by default

[carbona]

I'm still amazed that distros have not started doing this. As many have stated before, if you don't know how to turn on a service, you have no business running it. This would go a long way in making Linux distros more secure out of the box. Can someone who does packaging for a major distro explain what advantages are lost by taking this strategy?

r services disabled by default?

[antifuchs]

IIRC, the postinst of netbase (it was netbase, wasn't it?) asked whether you wanted to disable daytime, exec etc. services in the inetd.conf file, about since a month ago.

Dunno whether the author of the article missed it, or whether the postinst was changed again, but I'm pretty convinced that this point is invalid.

--
this post was brought to you by Andreas Fuchs.

Re:r services disabled by default?

[Decklin+Foster]

You are correct. It's been this way for quite a while.

Re:r services disabled by default?

[cbutler]

IIRC, the postinst of netbase (it was netbase, wasn't it?) asked whether you wanted to disable daytime, exec etc. services in the inetd.conf file, about since a month ago.

Not only that, but the rsh/rlogin/rexec daemons are NOT installed by default on new Debian 2.2 systems. They are in the package rsh-server, which is priority Extra.

Sorry..

[mindstrm]

Nothing in that article really qualifies as a 'security hole' in Debian. And most of the things in the article are common to *ALL* distributions. LEt's look at them.

- Single partition / for whole system as a *default*.
Well.. first, you *DO* have the option of changing this when you install. It's not an 'automatic' thing insomuch as windows does this automatically. And from what I know, most home users do this anyway Servers no, Home use, yes.

Crypt passwords (instead of md5) by default. HELLO.. the screen ASKS you what you want to use, and just happens to have 'crypt' already selected. And they *are* right.

Now.. basic inetd services (time, echo, discard). Yes, those of us security minded tend to shut these off.. however... I think it's common knowledge that the *FIRST* thing you do with a new distro is go in and disble these. I have yet to use a distro that doesn't put these in. And I'm unaware of any current (or past) security holes in the basic inetd services. These services are *internal* to inetd. If you are *really* worried about inetd's security, why not STOP RUNNING IT ALTOGETHER?
As for 'login' and such... see above. Commenting out inetd is standard pratcice. EVERYBODY knows that.

'gnuplot' is mentioned for some reason.. even though they install it correctly (as the article says).

And EXIM using RBL? What has that to do with security (whether or not RBL is currently working?).

Okay. Calling DPKG a security problem because it doesn't allow package signing? I'll grant that's kind of valid.. but how many signed packages are their in any other linux distribution? I don't believe I've ever seen even a single one! (in other words.. who cares if RPM can do this if nobody uses it). Oh wait.. you could always just INSTALL RPM!

The users home directory thing.. that's something to always check on every distro, because it's always different wherever you go. As the admin, if you don't like it, change it. Also.. the permissions suggested on users home directories lulls them into a sense of security ;)
lilo doesn't use sulogin? C'mon.. if you are local, you can break in *anyway*. Lots of distros don't use sulogin, and nobody has a problem.

I have to catch a plane, so I can't get the rest of the article (There look to actually be acouple of valid thigns that could use patching mentioned).

But that whole first section of the article is just whining about settings not being exactly the way the author would have liked them,.

Re:Sorry..

[ianezz]

Calling DPKG a security problem because it doesn't allow package signing? I'll grant that's kind of valid..

Not necessarily a valid argument, as you can read in an old Freshmeat editorial, where representative of both Debian and RedHat made really interesting points on the subject.

Re:Sorry..

[Tet]

how many signed packages are their in any other linux distribution? I don't believe I've ever seen even a single one! (in other words.. who cares if RPM can do this if nobody uses it).

Actually, every RPM issued by Red Hat is signed.

Re:Sorry..

[jallen02]

EVERYBODY knows that.

I will cut you some slack and assume everybody falls into the Everybody(Read:*nix power users)

However, I dont think most people have a clue what they install as the default. Sendmail setup as an open relay by default? When your first learning unix do you know what sendmail is?

I bet learninga bout it is a painful lesson when your machine is hacked or left on a college network full of people ahem.. learning about all facets of comptuer err security.

So yeah after you learn a little its rather easy to go through and pick services you need running and pay attention to Bugtraq/security focus and patch up any bugs for the services you run.

Now.... the average user is not going to just realize (he|she) needs to go to these places or that these things are even insecure..

Jeremy

Re:Sorry..

[DanMcS]

I think it's common knowledge that the *FIRST* thing you do with a new distro is go in and disble these. If you are *really* worried about inetd's security, why not STOP RUNNING IT ALTOGETHER? As for 'login' and such... see above. Commenting out inetd is standard pratcice. EVERYBODY knows that.
Um, nope. When I started running linux, the redhat 5.2 manual said nothing about that. Neither did any of the docs I found online, or in the new-linux-user-help type webpages, nor anyone I spoke to on IRC, or over email. I just happened to be talking to a friend and the subject came up, and he said the same thing, "oh, you should turn a bunch of stuff off, everybody knows that." If it's enabled by default, but "everyone" knows to turn it off, why not have it off by default, and let the people that need it, enable it?
--

Re:Sorry..

[teg]

Okay. Calling DPKG a security problem because it doesn't allow package signing? I'll grant that's kind of valid.. but how many signed packages are their in any other linux distribution? I don't believe I've ever seen even a single one! (in other words.. who cares if RPM can do this if nobody uses it).

We always sign the packages shipped in Red Hat's packages and our updates.

Crypt passwords (instead of md5) by default. HELLO.. the screen ASKS you what you want to use, and just happens to have 'crypt' already selected.

Not a big problem, IMHO - as you write, just choose MD5. However, there shouldn't be problems doing that - Red Hat has used pam for years with MD5 support (and for quite some time used as default), so problems should be long gone. And they *are* right. Oh wait.. you could always just INSTALL RPM!

Re:Sorry..

[jallen02]

I wonder how many people secretly chortle at my signature I am heh.

Jeremy

Re:Sorry..

[Harik]

However, I dont think most people have a clue what they install as the default. Sendmail setup as an open relay by default? When your first learning unix do you know what sendmail is?

Sendmail is _NOT_ configured as an open relay by default on debian. You have to specifically add allowed-relays if you wish to smarthost.

--Dan

Re:Sorry..

[Captain+Derivative]

I agree. Does anyone know of a good site that explains what you need to do to disable whatever daemons and such you don't need running, and anything else you need to do to secure a freshly installed Linux distro?

Yes, I am a Linux newbie, but the docs that come with, say, Red Hat 6.2, don't mention anything about how you go about disabling sendmail (which in RH6.1 is installed even if you tell it not to put it on), inetd, wu-ftpd, and whatever other programs, daemons, etc. need to be disabled, removed, or at least reconfigured.

Like you said, it's one thing to say "well, if you're running *nix, you should already know this stuff" and then kvetch that Linux isn't taking over the home desktop market.

Oh, and thanks to anyone who can tell me where I can read about all this stuff.

--

Re:Sorry..

[wegster]

Ok, not every NEW Linux or Unix user knows to disable some inetd services. The same can be said for file and print sharing on Windows. Or worse, does that wonderful 'share your printers with your friends over the Net' thing still exist on the MS downloads page? Back on topic- you're right, not everyone knows this. At this stage of Linux distros, you need to do a bit of research for a 'relatively secure' system. It would be a HUGE plus if the distros offered a 'secure install' that simply disabled EVERYTHING you didn't specifically ask for, or perhaps a 'disable all lesser used daemons' option. Let's face it- most distros installs seem to try to make it 'super simple and easy' for new users. Just hit enter a few times and it's basically installed. RHs 'groups' you can select leave a bit to be desired- with so many packages it gets monotonous to install via selecting every individual package, but there's no 'networked server with secure settings' option at this point, so regardless of which install mode you choose, you usually wind up removing or at least disabling things. We're making progress, but it would be a big benefit if the installs had 'safer' default configurations. (eg don't start apache just because it's installed, don't run daytime, finger, ftpd, etc etc without the user specifically enabling them.) Scott

Re:Sorry..

[KmArT]

For new users, I would recommend getting a copy of "Securing and Optimizing Linux - Red Hat edition" available from http://www.linuxdoc.org. Its more of a checklist of what to disable with Red Hat (which I feel Red Hat should do by default but...) but its a good place to start to at least close some of the holes that Red Hat leaves open with a default install. Red Hat is notorious for having a myriad of dependencies which result in things like sendmail getting installed and activated, even though you disable it - at one point, I counted like a dozen packages that I specifically deselected and they still got installed anyway.

My personal opinion is that if you are running *nix, you should know this stuff. Not every end user is going to be a *nix expert but being ignorant of the operating system you are using is something that irritates me. However, I also believe that if vendors like Red Hat are going to market to the home user, they need to educate the home user and/or make their default install more secure. It is lame and irresponsible to just install everything and enable everything by default.

The guide I mentioned above is a good checklist for fixing open security problems in that it helps you whittle your install down to only the files you need. Its hard to get hacked via the rpc.statd exploit if you don't have the NFS stuff installed. However, one major problem I have with that guide is that it functions mainly as a checklist (not to mention that its 95% regurgitated config files, READMEs, RPM listings, file listings, and kernel sysctl Documentation) is that is mostly a checklist. Its long on the "delete this package, that package, make this change, do this, then that" and short on explaining why or how a service or package is a real problem. Of course not everyone cares about the inner details of exploiting services but the best defense, in my opinion, is a good dose of common sense and a good notion of how someone can exploit what you have. For that, experience is the best teacher and I haven't found a HOWTO for common sense anywhere (maybe thats why so many people are clueless). If you want a sort of overview of how hackers operate and how they might exploit something, I might recommend "Hacking Exposed" by Stuart McClure and Joel Scambray.

Hope this helps. email kSeviTn_OmyPer@iuS13.kP12.pAa.uMs if I can be of more help. (Remove the STOP SPAM)

Re:Sorry..

[sjames]

Yes, I am a Linux newbie, but the docs that come with, say, Red Hat 6.2, don't mention anything about how you go about disabling sendmail (which in RH6.1 is installed even if you tell it not to put it on), inetd, wu-ftpd, and whatever other programs, daemons, etc. need to be disabled, removed, or at least reconfigured.

Look in /etc/rc.d/rc5.d and rc3.d. All scripts in there are links to the startup scripts of the various daemons. If you want to kill off sendmail, do:
./S80sendmail stop
rm S80sendmail

The first kills the daemon, the seconds keeps it from running next time you boot.

For inetd, vi /etc/inetd.conf. Insert a '#' in front of any service you don't want.

After saving that, killall -HUP inetd to make it re-read the configuration.

Re:Sorry..

[dhuff]

I agree. Does anyone know of a good site that explains what you need to do to disable whatever daemons and such you don't need running, and anything else you need to do to secure a freshly installed Linux distro?

Well, if you're running RedHat or Mandrake, you could make your life easier and check out Bastille Linux, a hardening script which enhances the security of a Linux box, by configuring daemons, system settings and firewalling.

Re:Sorry..

[vdanen]

You said:
Okay. Calling DPKG a security problem because it doesn't allow package signing? I'll grant that's kind of valid.. but how many signed packages are their in any other linux distribution? I don't believe I've ever seen even a single one! (in other words.. who cares if RPM can do this if nobody uses it). Oh wait.. you could always just INSTALL RPM!

I say:
Mandrake has been signing RPMs for a *long* time. I don't know about any other distro, but Linux-Mandrake does it without fail on every package we put out.

Re:Sorry..

[ufdraco]

actually, better is to go into /etc/rc.d/init.d/ and shut off sendmail there via ./sendmail stop and chkconfig --del sendmail

For more info: man chkconfig

Re:Sorry..

[RickHunter]

Well, yes, that would be the intelligent thing to do. Unfortunately, most distros don't. I've found that Debian is reasonably good about what it enables and disables by default, but I still have to do some work...

-RickHunter

LILO password

[Ray+Dassen]

In order to be able to use "init=/bin/sh", one needs physical access to a machine (discounting the rather obscure case of having a serial console that's accessible via a network). With physical access, there is no such thing as security. Having a LILO password makes things slightly more difficult, but IMO that'll just give a false sense of security: think of booting from a different device, temporarily placing the hard drive in a different machine etc.

Re:LILO password

[antifuchs]

With physical access, there is no such thing as security.

There was a (no, more than one, actually) flamewar on debian-devel on this issue. One about the autofs daemon, and one about the MBR that is set up on initial install.

They all started with your argument, and they ended with the participants throwing nothing but profanities at each other. So, before you reply to this post saying something along the lines of "But lilo should be secure, too!", please, please check out the Debian List archives to see whether your point has already been made!

Thank you for avoiding trouble. (-:

--
this post was brought to you by Andreas Fuchs.

Re:LILO password

[BlowCat]

Having more passwords increases your chances to catch the bad guy at the spot.
A safe that can be opened in 1 hour is better that one that can be opened in 5 minutes.

Re:LILO password

I'd set a LILO password on my machine at work. It is easy to inhibit booting from a different device with many machines by setting the BIOS boot sequence.

IMHO the main idea is not to allow the casual nosey colleague to boot the machine. For most home users a password is just a pain in the back anyway.

Same goes for the permissions as far as I am concerned. Imaging the first thing Joey the Brain tries is an ls -l, the one command he has ever heard of, and it does not work -- can you spell panic ?

Now not a distribution user I don't know any of it, but perhaps something along the line press Y to secure the system would be a nice idea.

By the way - changing /home/joey's permissions seems to be a rather silly idea as I am probably going for root anyway.

To be honest, and as someone else wrote already, that article seems to be more about what the author disliked than about security which does not come that cheap -- if you really need it.

Re:LILO password

[NighthawkFoo]

SuSE has shipped with a "hardening" script since version 5.3. You run the script, and it asks you various questions about what you want to use the system for, what you want to turn off, etc. It sets permissions to "paranoid", doesn't allow users to su as root, kills inetd, and lots of other things that you can specify.

It's not too useful on a desktop system, since it's overly paranoid, but I used it on a 486 that sat in the corner of my dorm room. All it did was crack RC5 keys anyway :)

"I may disagree with what you have to say, but I will defend to the death your right to say it"

Re:LILO password

[shippo]

Even if a machine is secured, physical exploits can usually be made. However I once saw a machine that was supposedly impervious to physical exploits.

The case lock was the most complex and secure I'd ever seen, which coupled with a hardened case made it very difficult to get into without damaging the data. The mirrored hard disks were connected to a custom controller that encrypted the data during disk writes (and doing geometry translation as well, I believe), making it impossible to read the contents if a disk was salvaged and placed into another machine. There were other security issues as well.

Unfortunatly the manufacturers had spent so long on R&D and certification testing with the MoD (UK equivalent of the DoD), that by the time the machine was released to the public the specification was so out of date that the machine was unuseable by modern software. :-)

Re:LILO password

[Tower]

How are you supposed to get in as root if you can't su? A secure box shouldn't allow root console access - if you force su access, you can trace who is logging in as root, otherwise, well, 'console' isn't all that helpful (without a timed vid record).

--

Re:LILO password

[HiThere]

Actually, I prefer that a somewhat knowledgable user (me) be able to get into the machine if physical access is available. Any file can become corrupted, and the doesn't exclude password file.

OTOH, I suppose that having the capability to add a password to LILO wouldn't be all that bad. There might well be situations where it was appropriate. But I bet that controlling physical access would be both safer and, in the long run, cheaper. If nothing else, just stick the computer in a wire box, and lock the box. Not too expensive, doesn't lock out any authorized person who really needs to get in, is secure against the only person who knows the password going to work elsewhere, etc. (We have a computer set up that way right now ... only we never bother to lock the box. I suppose that this might be an argument against the approach.)

Re:LILO password

[ahde]

if lilo w/o a password is a security flaw, then they should mention that merely having a floppy disk on the machine or not having welded the case shut is a much worse risk.

rawrite bare.i a:

Re:LILO password

[richie123]

A better idea is to set the boot delay to 0 and use lilo -R to set defaults for next boot( for you dual booters out there)

Re:LILO password

[Rumble]

Disable booting from floppy and password protect your bios will solve the floppy disk problem. But as for the physical access problem... I can't really think of anything that wuold solve that...

One possibility for the future is to have a record of some sort of serial number in the system BIOS that verifies the boot device against some sort of serial number or checksum or whatever, which would limit the ability to boot to a different hard drive.

Re:LILO password

[DrSkwid]

by the time the machine was released to the public the specification was so out of date that the machine was unuseable by modern software.

can I smell BS?

.oO0Oo.

Re:LILO password

[shippo]

No BS!

The machine was the Opus Datasafe, released 8-10 years ago. Unfortunatly it was only an 8086/8088 machine with very modest disk capacity, and even at that day and age useless for anything other than a low-end workstation.

Are Opus still going? I havn't seen any of their kit for years.

Re:LILO password

[shippo]

Which means that when the hard-drive fails, and you need the machine up and running ASAP, you are in deep doo-doo!

I had one system that could only use hard-drives pre-formatted by the manufacturer. The drives were standard off the shelf models, but sold at at least 300% mark-up. A nasty form of customer lock-in, even if you could still fit the drives yourself.

One such machine failed, and it was not possible to get hold of a spare due to the maintenance company screwing-up. The machine would have been down for a week if we hadn't canibalised a less critical machine which resided at another site.

Re:LILO password

[sjames]

Disable booting from floppy and password protect your bios will solve the floppy disk problem.

Make sure your BIOS has no backdoor passwords in it. Some did a few years ago for when a luser would set and forget a password then call tech support. I don't know if that practice has stopped or not.

Other physical access problems are a lot harder. It is impossable to make it ABSOLUTELY secure from physical attack while still being a usable system. If security is paramount, a kernel hack that asks for the key to the encrypted root filesystem on boot would be a good start.

Re:LILO password

[DrSkwid]

cripes that is a long time ago

if it's file server security you want plan9 offers a good system.

the file server has no console and access to the disks is via the auth server which is a separate machine
.oO0Oo.

Re:LILO password

[dvdeug]

Not if the good guys don't have an hour to spend each time they want to open the safe.

Re:LILO password

[thopkins]

They all have the password backdoor of taking the battery out so that the info including the password is erased in the BIOS.

Re:LILO password

[sjames]

They all have the password backdoor of taking the battery out so that the info including the password is erased in the BIOS.

Absolutely. Many motherboards even provide a convieniant jumper for that now. At least it's harder to inconspicuously open up the case to reset the password than it is to go in (looking like a run of the mill techie), and use a backdoor password.

The more paranoid will put a good lock on the case so that opening it is much harder to do.

backported bugfixes.

[arcade]

The author of the article should read the changelog for the proftpd daemon, for apache, and so forth. Debian has a tendency to backport security fixes instead of shipping the newest versions. I find that much better than always shipping the latest and greatest bugware. :)


--

Re:backported bugfixes.

[LizardKing]

Debian has a tendency to backport security fixes instead of shipping the newest versions

A bit of a bizarre thing to do in the case of the APache and ProFTPD versions mentioned in the article. The newer versions only include bugfixes - so why not ship the real thing? I can't beleive that the Debian maintainers know more than the Apache/ProFTPD maintainers about the inner workings of the software, so what makes their backported fixes any better?

Chris

Re:backported bugfixes.

[nafmo]

Debian does not ship with the latest versions simply because they came out after 2.2 hit freeze. Freeze means (basically) that no new versions are included, and only bugs and security holes are fixed. That's why those fixes were backported.

Re:Home directory permissions

Permissions (as seen on unix systems) are a horrible way of managing access to files. Every user has to be aware that his/her umask is set to some reasonable value. This value differs from situation to situation. If you are working on a project with multiple people 002 is good it the others are in your group. If you are working on private files 077 is better. How often do you change your umask when you are doing some editing? Useing permissingbits for access is asking for trouble (the users I've seen with 002 umask for files in their homedir).

Furthermore, access is managed on a per-file bases. Access control on a per directory bases is easyer to handle and suffices in 90% of the cases. Persmission bits are not centraly managed, wich makes things harder. Acces control lists are easyer to manage and are more natural.

If I want the http deamon access rights to part of my directory, but do not want other programs reading that I have to juggle with groups and permissions. I have to check every file in that directory for the rights permissions group id's. For all my accounts I use a script with a dozen chmod's and chgrp's to set permissions for my directories and files right.

<b>Screw permissionbits, I want ACL's (something like netware)!!!</b>

Due to long release cycles

[Leto2]

The author of the article claims a lot of packages (he mentions apache and proftpd) are out of date, while he didn't realize that Debian 2.2 was frozen months ago. This means that at release, packages are dead-stable (they wont crash) but might have a few holes in them by now. And, as another poster pointed out, backfixes do exist.

Ivo

Re:Due to long release cycles

[antifuchs]

This means that at release, packages are dead-stable (they wont crash)

Sorry for the minor nitpick here: it does not mean that the packages won't crash, it just means that none of them have release-critical bugs (== bugs with a severity above "important") in the Bug Tracking system that can be fixed before the release.

If they can not, they will have to wait until the next revision (that would be 2.2r1) and go into the release notes.

--
this post was brought to you by Andreas Fuchs.

Re:Due to long release cycles

[Leto2]

Re:Due to long release cycles (Score:0)
by Anonymous Coward on Wed August 30, 14:37 CET (#83)
Where is the Debian fix for ProFTP and when was it fixed?

here, and now shut up.

Re:Home directory permissions

[Hammer]

That's a rather stupid approach. It's like saying let's not require passwords since that gives a false sense of security.
Sure, permissions is not the ultimate secure solution, but it's a whole lot safer than letting everyone read users home directories.

I don't know if I would call this major.

[Dast]

Honestly, most of the author's nitpicks are small. Debian ships with the same kind of default settings as most Linux distros do these days, openings in inetd, one large / partition, some older apps with holes, and silly home directory permissions. Really not much a seasoned user can't handle; if you are the kind of user who just installs the default and leaves it, you probably shouldn't be using any sort of unix (or unix-like) system (maybe with the exception of openbsd, which happens not to work with my network cards).

The default crypt passwds, I admit, was kind of dumb, but it takes one command usually to change. Not a big deal. I don't get his beaf with dpkg not handling signing automagically; nothing stops you from signing it with gpg anyway and checking the sig by hand, or even writing the script to do it. Make dpkg do one little thing, and do it well; it might not need the kitchen sink welded on too.

I agree with him on two points, however: the improper lilo configuration, and the version of netscape that ships with 2.2. The default lilo lets you boot into single user root mode without a password, and the shipping netscape still suffers from the huge java hole. These are two very important pieces of software to most users, and might very well cause a lot of boxen to be compromised, so make sure you fix it.

Personaly, I think this attention will only make debian better for everyone. All in all, make sure you know what you are getting into when you install any distro. And subscribe to bugtraq.

Re:I don't know if I would call this major.

[pingflood]

if you are the kind of user who just installs the default and leaves it, you probably shouldn't be using any sort of unix (or unix-like) system

Wow, whatever happened to ``Linux is ready for the desktop,'' ``Linux is user friendly,'' ``Anyone can use Linux, down with the Microsoft empire''? Now it's, ``if you're a regular user you shouldn't be using this.''

Geez.

-pf

Re:I don't know if I would call this major.

[shallot]

Note that no Netscape packages ship with Debian GNU/Linux 2.2 proper; they are included in the `non-free' area of the FTP site, and are not included on the official CDs.

Updated packages can usually be found at the Debian FTP sites, either at security.debian.org or in dists/proposed-updates directory of ftp.debian.org (and mirrors thereof). Most of those packages will be integrated into Debian GNU/Linux 2.2r1 when the time comes (probably in a month or so), and the official CD images will be rebuilt.

BTW the problem with login, shell and exec services not being disabled is a bug caused by some sloppy dependencies in task-x-window-system task-package, which pulls in installation of rstart{,d} packages, which in turn enable those services. It should get corrected soon, too.

Re:I don't know if I would call this major.

[.pentai.]

it's kind of nice when people are willing to admit limitations, isn't it? I installed my latest linux box (debian 2.2 actually) to be a workstation. it runs 2 programs in inetd (auth, so I can irc, and fam, which is required my EFM). it doesn't need anything else. until someone comes out with a fully desktop distribution of linux, then he's right though, not just anyone should use it.

Re:I don't know if I would call this major.

[Hast]

Normal user != Person who installs OS's.

Worth repeating

[MartinG]

> Always do testing on your own.

I felt like repeating that bit. 'cos not many people do, and then they blame their tools when things go wrong.

And that applies to all systems of course though, not just Debian and not just Linux.

Kurt did a hack job

Man, that reporting was almost bad enough to be Jon Katz-level "quality."

Let's see, defaulting to crypt is necessary for compatibility with NIS+. Note that Kurt's vaunted Red Hat gives you the choice of crypt as well....

r* services simply aren't enabled in Debian by default. I don't know what Kurt was smoking, but they're not. Time, discard, etc., are, but if you can't trust them, you can't trust inetd period (which isn't to say I don't comment 'em out anyway ;-). Note that several other security-minded distributions also enable them. Look at, for example, the OpenBSD default inetd.conf and be amazed at everything that they enable.

RBL not working is a security hole? C'mon Kurt, if you don't like Debian, just say so. FUD gets you nowhere (though it does promote sales of your Red Hat-oriented books, I realize).

dpkg not doing GPG sigs is a problem. The new version does support it, and that'll be in the next release. In the mean time, there is MD5 sum checking....

Just because a distribution uses a different default permission set for home files than Red Hat doesn't make it insecure. It just makes it different than Red Hat.

I actually like the "prompt for password for LILO" suggestion. It's something no Linux distribution (including Kurt's vaunted Red Hat) does currently, but it's actually not a bad idea. Give the man one point.

Daemons: this point *could* have actually been valid, but if Kurt had bothered to do any research at all like a real journalist should, he would have discovered that Debian does not ship Apache 1.3.9. They ship 1.3.9 + backported security patches. Ditto for ProFTPD. The security hole he's claiming exists is a figment of his overactive imagination.

Similarly, contrary to his claims, Debian has released updates which upgrade to Netscape 4.75. Y'know, that's what apt-get upgrade is for.

Are all of Kurt's articles completely FUD like this one? I've never read him before, or even heard of him, but from what I've seen here, he seems rather clueless.... And I say that as someone who admins Red Hat for a living, not Debian.

Re:Kurt did a hack job

[LizardKing]

Look at, for example, the OpenBSD default inetd.conf and be amazed at everything that they enable.

But first you might like to take a look at the init scripts, where you'll find that inetd isn't enabled by default. On all my RedHat and OpenBSD machines inetd isn't running (on the RedHat machines it isn't even installed).

Chris

Re:Kurt did a hack job

[toolie]

Kurt has been known to suck at actually researching anything. A couple weeks ago he reported that Slack didn't have wu-ftpd patched when the patch was, in fact, released over 2 months before the advisory. Basically, I would avoid SecurityPortal and stick with SecurityFocus. At least they do research.

Netscape too?

[BlowCat]

I wonder how they backported security fixes for Netscape.
Perhaps it's not so funny as it's supposed to be...

Re:Netscape too?

Sheesh, netscape isn't part of the official debian distribution. Bugs in non-free packages has nothing to do with the distribution for they are not released with debian and are not included on the CDs.
You have to install them from the ftp-site.

Re:Netscape too?

[nafmo]

No matter if he does, what he says is the truth, contrib and non-free are NOT part of Debian, only main is official Debian. However, updated Netscape packages are on the way.

Re:Netscape too?

[antifuchs]

Perhaps it's not so funny as it's supposed to be...

It is not. Binpatching non-free software is not very funny, indeed. You could ask the fortify maintainers (-:

But back to topic: how can it be Debian's fault if non-free (thus, not really patchable) software has bugs?

(thinks)

Just following the Karma recipe, or was that supposed to be humorous? (-:

--
this post was brought to you by Andreas Fuchs.

Re:Netscape too?

[.pentai.]

what I got from it is that there are versions of netscape without the bug - and he's bitching that debian didn't use those instead

Re:Netscape too?

[antifuchs]

Point taken.

Still, it was not possible to integrate them into the release for obvious reasons: lack of time and the release cycle.

But, judging from the comments (and Ben's addition to the original article) here, 4.75 is already available for those who want it, thus invalidating the arguments of the three of us.

Moderator! Get me four "Redundant"s here! (-;

--
this post was brought to you by Andreas Fuchs.

Re:Netscape too?

[rjk]

It is available and it does work; but where is the announcement? http://www.debian.org/security/ claims to correct most problems "with 48 hours", but we've yet to see any mention of this subject (at least at time of writing).

It's true that Netscape lives in non-free and thus isn't officially part of Debian, but in my opinion if you distribute any software, you should make at least some effort to keep your users informed when you discover a problem with it.

Re:Home directory permissions

[Ed+Avis]

I was thinking more of NFS, where files will get sent unencrypted over the network anyway. I agree, on a system where users log in locally, which isn't likely to be cracked or physically broken into, chmod go-rwx might be effective.

I didn't advocate ditching permissions on home directories, just changing the default. If users want obnoxious permissions, that's their choice, but the default should be something sensible.

Next time do some real research.

[Emphyrio]

The main thing i thought (after reading the article) was that it's mostly right, as far as i know.
The package-signing thing has been bothering me as well.

But.

The example of rpm's package-signature checking gives an example of a better idea, but i don't want to think about what happens when the vendor key is compromised. If somebody has the key the rpm's are signed with, he/she can create a very real false sense of security ('the signature's right, so the package is 100% certain correct and secure, as well'), by applying the signature to altered/compromised packages.

The lilo-security thing seems a little farfetched to me as well. I didn't see a comparison with other distributions, and as far as i know, there are no other distributions that enforce a lilo-password.

Did he check the packages of wich you mentioned there was a security hole in them (proftpd, apache) ? A lot of debian packages (and these as well, afaik), are patched to fix those holes. Apart from that, Debian offers (fast) updates to vulnerable packages, in the form of a security.debian.org apt-rule, where fixed/patched versions are available.

From the article: >This portion could be rather long, so I'll cut the list short. Debian has
>shipped more than a few daemons that have severe security problems, many
>of which were fixed well before Debian 2.2 was released. I find this
>unacceptable, especially in the light that Debian has not released any
>updates for these packages!

I wonder if he actually checked all these 'more than a few daemons'. By my knowledge there are no publicly known vulnerabilities in Debian.

Some comments on the summary:

>Debian's goal of a bug free-release hasn't been met. But to be fair, it's
>not like any software vendor will ever release bug-free software.
>Debian has done a particularly bad job in my opinion, shipping out-of-date
>software and especially publicly available network daemons that have root
>hacks in them.

There is no such thing as a bug-free release. Debian has done a pretty good job in keeping their releases (including the latest one) secure. There is no software shipped in the last Debian distribution with the publicly known root hacks mentioned.

>If you do go with Debian, you'll have a lot of manual updating ahead of you
>to bring it up-to-date and secure it. Unfortunately, the argument "
>apt-get, apt-upgrade" won't work, since many of these updates are not
>available as dpkg's yet.
Adding security.debian.org in your apt-rules list works just fine. A lot of Debian maintainers fix security bugs in their packages, often before they become publicly known. An out-of-the-box Debian system will only have the security bugs that have become publicly known after its release date, and these can be fixed with the above-mentioned security updates.

>Debian has also ignored a lot of work other vendors have put into making their
>distributions more secure. If you don't learn from the mistakes and
>improvements of others, there is little hope. This is especially frustrat
>ing in light of Debian's effort to secure various parts of the distribution,
>using Exim by default instead of Sendmail.
>Having seen things like that during the install, I had a lot of hope for
>Debian, but my hopes were dashed to pieces upon closer inspection.
Debian is a distribution that _adds_ to the work other vendors do, making their distributions more secure. If he actually would would have taken a closer look (wich he obviously hasn't done), he would've seen there's a lot more work being done on the security of Debian than there's mentioned. The article shows some knowledge of security in linux systems, but also a very badly-informed, no-research, superficial look on Debian security issues.

Re:Next time do some real research.

[prodos]

>Apart from that, Debian offers (fast) updates to vulnerable packages, in the form of a security.debian.org apt-rule, where fixed/patched versions are available.

Does anyone know why the security.debain.org apt source is not included in sources.list in the basic installation? Debian seems to rely on users to discover this their own (which is not unreasonable, since it is flaunted on www.debian.org). Still, wouldn't it just be easier for the installer to add this to the default sources.list along with the deb and deb-src of the chosen debian dist?

The point of Debian

[Foochar]

First and foremost every linux distribution caters, or atleast claims to cater to a specific subsection of the linux population. If you want the most recognized linux distribution, with the one of the bigest installed bases out there you run RedHat. If you want a distribution that is as tight as a drum you apply Bastille Linux. If you want productivity suties cleanly integrated into your install process you run Corel Linux (which BTW is based on Debian.) If you feel like supporting User Friendly you run Suse. If you want a distribution that you know all the parts work well together in you run Debian.

The author of this article seems to lack an understanding of the Debian release cycle. Debian was frozen before several of the release he mentions came out. Once Debian has been frozen getting a new package into it becomes substanially more difficult. Now before everyone screams about how now that potato (Debian 2.2) is stable these fixes can't make it in, keep in mind that security fixes are one of the items on the very short list of packages that can be changed once a release goes stable.

Joe Homeuser most likely isn't going to choose Debian as his distribution. Most people who choose Debian do so because the support Open Source ideals to the extreme and as such have problem been around the Open Source block a time or two and atleast have some idea what they are doing.

Are these valid secutiry holes in potato? Yes! Should someone have written an article bringing them to light? Yes! Is this a big enough deal to warrant a Slashdot Story? No! It should be a quickie at best.

Re:Home directory permissions

Whatever distro you are using is completely messed up then. On a modern distrubtion these problems simply don't exist, or at least on RedHat from at least verison 5.0 they have not existed. The problems you mention are EXPLICITLY mentioned in the RedHat User Manual and they discuss they quite simple solution that is completely transparent to the user. Every user on the system has their own group and the default umask is 002. So lets say we have a user bleh. When he creates a file it will be owned by owner bleh and group bleh. The file permissions will be -rw-rw-r-- . Since bleh, is the only member of group bleh, he will be the only one able to write to the file. Every one will be able to read it. If you don't want everyone tob e able to read the file you can make your umask 007. Also note that by default redhat makes home directories -rwxrwx---. Thus another user on the system would not be able to read the file unless they knew the name of the file. Just remeber you can change your umask if you don't want other users to be able to read your files. Now let's say bleh is working on a project with several other people. The system administrator creates a new group 'project1'. He adds all the users assigned to work on the project to the group project1. He creates a directory where all teh work for the project will be stored, /usr/local/project1. He does chown root.project1 /usr/local/project1 . He does chmod 770 /usr/local/project1. He does chmod g+s /usr/local/project1. Now, when user bleh or any other user working on the project creates a file in /usr/local/project1 the file will be owned by the user who created the file and the group of the file will be project1 (Since the directory is g+s). The permissions of the file will be -rw-rw----. This means any user working on project1 can read or write (modify) the file. ALL OF THIS TRANSPARENT TO THE USER. The only person who has to woorry about this is the system administrator. This procedure is documentted in several places and any system admin worth a penny knows it already. So before you go spouting about deficiences in permission lists, GO AND READ!

Informed comments from a Debian Developer

[StormCrow]

Group writable home directories: Debian uses "user groups", where every user gets their own group. This makes working on shared projects (in a +s directory) slightly easier, since your umask is 002. However, since nobody is in your group by default, your home directory and files there are as secure as if they were only user writable. This is configurable in /etc/adduser.conf, and if it is set to no, Debian's default login scripts do the correct thing and set your umask to 022

Re:Informed comments from a Debian Developer

[Palin+Majere]

>Group writable home directories: Debian uses
>"usergroups", where every user gets their own
>group. This makes working on shared projects
>(in a +s directory) slightly easier, since your
>umask is 002. However, since nobody is in your
>group by default, your home directory and files
>there are as secure as if they were only user
>writable. This is configurable in
>/etc/adduser.conf, and if it is set to no,
>Debian's default login scripts do the correct
>thing and set your umask to 022

No no no! This is _not_ the correct thing. If each user is the only member of his/her default group (i.e. joeuser/joeuser) and all of his/her files are owned by that group, you are providing _no_ extra functionality by having them group-writeable, or even group-readable. None. Zero. This "makes working on shared projects (in a +s directory) slightly easier" thing is an absolute myth. In order to do what you describe, the user would both have to a) have an idea of how to run chmod and b) actually _run_ chmod, at which point they can change the safe, secure, hopefully default permissions that allow _only_ the original user access to it.

Why is this so important? Because leaving everything completely accessible by groups, _any_ groups, opens up another file to be comprimised. In the above arrangement, all a hacker needs to do is find a way to hack /etc/group (or whatever the equivelent is. I don't use Debian, myself). That's right. Thanks to having hacked /etc/group, all your shadow passwords are no longer neccesary, since the hacker can now access any user files (s)he wants. I wonder if they do root files like that...

Also, neither you nor Ben Collins address the problems of leaving user directories world-readable and -executable by default. Say goodbye to working ssh under that arrangement, unless you've got the foresight to manually set your directories up properly. And what happens when you try to set your ssh keys up, expecting things to be secure? You've got a window of oppurtunity where another user on the system can get _all_ of your RSA information. Your personal and private keys are right there, ripe for the taking with just a simple "cp ../joeuser/.ssh/* ~", and you'd never be the wiser.

Come on folks, say it with me now: The correct thing to do is set umask 077 and chmod -R 700 /home.

Re:Informed comments from a Debian Developer

[Fluffy+the+Cat]

Say goodbye to working ssh under that arrangement, unless you've got the foresight to manually set your directories up properly. And what happens when you try to set your ssh keys up, expecting things to be secure? You've got a window of oppurtunity where another user on the system can get _all_ of your RSA information. Your personal and private keys are right there, ripe for the taking with just a simple "cp ../joeuser/.ssh/* ~", and you'd never be the wiser.

From the source code to the ssh-keygen shipped with Debian 2.2, we have:

if (mkdir(dotsshdir, 0700)
error("Could not create directory '%s'.", dotsshdir);

Brief investigation reveals that the private RSA key is saved with permissions of 600

fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);

Now, could you possibly elaborate on the security issues with SSH that exist here?

Re:Informed comments from a Debian Developer

[StormCrow]

ssh-keygen AUTOMATICALLY sets the permissions on the private keys it generates to 0700.

Hacking /etc/group requires root access, there went your security anyway.

My comment about shared projects is meant for example, /var/www (which you set to group writable by a web author group, and chmod +s the directory). Once you've done this, every file created in the directory will carry the group of the directory (i.e. web-auth) and if they're group writable, your web authoring group will have fewer problems where they need to track someone else down to make changes. Of course this assumes that this is the security model you want, but it does make it easier to work with by default.

Re:Informed comments from a Debian Developer

[Palin+Majere]

And if you're brining over existing ssh keys from another server? One that you're decomissioning or migrating from? Not everyone uses ssh-keygen...

The flaw isn't with SSH. It's with Debian's default umask and it's default permissions on home directories.

Re:Informed comments from a Debian Developer

[Palin+Majere]

Why are you going to give hackers another _unnecessary_ opening in your system? We're talking security here people, come on. The fact that it 'requires root' in order to hack /etc/groups is crap, and you know it. If it "required root" to hack things, nobody would ever get rooted except from someone walking up to the console and booting into single user mode. With as focused on security as this discussion is, I'm surprised you even brought that up.

What happens if there's a bug in say, vi, that lets an unpriveledged user kidnap an editing session only for the current file being edited? If you're editing /etc/group to set up that new web-editing group, you've just lost all your user files under those default permissions. Is there such a security whole in vi? Of course not. Could it conceivably happen? Hell yes.

Your example for /var/www has absolutely nothing to do with the issue at hand. Setting that up requires two steps: a) changing the permissions to be set-gid on the directory and b) changing the ownership.

Having to do both of those things means you have saved the user exactly NO time by making things default to being group read/write/world read.

There is nothing wrong with having those permissions on a directory. It _is_ a problem if those permissions are the _default_.

Re:Informed comments from a Debian Developer

[Fluffy+the+Cat]

And if you're brining over existing ssh keys from another server? One that you're decomissioning or migrating from? Not everyone uses ssh-keygen...

Ok, that's clearer. The first time you run ssh on a Debian system the .ssh directory created isn't world readable, so if you're copying them across the network then the .ssh directory will already be unreadable to the attacker.

Now, cp will attempt to preserve the permissions of an original file within the constraints of your umask. With a umask of 022, a file with permissions of 600 will keep those permissions if you cp it somewhere. scp behaves in the same way. Unless you're doing something stupid like using cat to copy your keys around, it doesn't seem like a problem.

Re:Informed comments from a Debian Developer

[Harik]

Come on folks, say it with me now: The correct thing to do is set umask 077 and chmod -R 700 /home.

Ok, I'll repeat after you. "Palin has no idea what he's talking about. At all."

SSH happily creates .ssh/identity mode 0600. The only thing I dislike is having authorized_keys visible, but the end-user has to create that himself and if he's doing that he has enough clue to set the mode right.

Having home directories set mode 0755 is extremely useful to EVERYONE. For one, no complicated public_html setups with symlinks and rewrite rules. (I know, I have a server setup with seperate home and public_html. It's a royal pain in the ass.)

usergroups is braindead, and as such is in my stock "turn it the hell off" list when I install a debian system. It's nice that that list is short, though.

Thanks to hacking /etc/group? Are you really that stupid? If you have the ability to modify /etc/group you're gonna put yourself into something nice like say disk. And why are devices group readable and writeable? So the programs that need to read/write them only have to be setgid rather then setuid! Until ACLs/capabilites are in use (and well understood) it's much better to sgid programs then setuid'ing them.

Anyway, your homework assignment for the day is to "man 2 open" and explain how you create files securely.

--Dan

Re:Informed comments from a Debian Developer

[Palin+Majere]

>Now, cp will attempt to preserve the permissions
>of an original file within the constraints of
>your umask. With a umask of 022, a file with
>permissions of 600 will keep those permissions if
>you cp it somewhere. scp behaves in the same way.
>Unless you're doing something stupid like
>using cat to copy your keys around, it doesn't
>seem like a problem.

Hrm. Poor example then. You do, however, see my point. Anything you create is immediately vulnerable to being copied by any other user. Forget using your favorite editor to create files. Now you need to "touch filename;chmod 600 filename;vi filename".

Fortunately emacs obeys existing file permissions with is tilde files, otherwise you could be in for even more pain.

Re:Informed comments from a Debian Developer

[Fluffy+the+Cat]

The same is true of most Unices I've used, though. My AIX box defaults to everyone being in the same group and the defualt umask being 022. I'm not sure why users would immediately expect other people not to be able to read their files, especially when the same is true of Windows 9x by default :)

Re:Informed comments from a Debian Developer

[Balp]

There has been aloot od this type of "flamewars" on the OpenBSD mailinglists too. Does different permissions on the users homes directories make any additional security?

In the end it comes down to if policy of the site. What kind of information does one handle. How bad is it for the other users to find out the information. One sould also be aware that not haing the other group being able to read a users home-directory does force some services to run as root. To beable to access files of a user. Proceses that doesn't need to be root at all. For excapme web-servers (public_html, well actually a +x on the home and rx on the web directory is needed.), and mail deamons (.forward, .procmailrc). I personally think this make more potensional security holes that the minor privacy problem with deafult having files accessable to other users. THIS is merly a problem of INFORMING the users about the policy.

Unix tradition is that the home is open, that you may create locked rooms in side you home.

/Balp

Re:Informed comments from a Debian Developer

[Slay]

Still, nothing here that can't be fixed with chmod and umask.

---

Re:Informed comments from a Debian Developer

[Balp]

> Come on folks, say it with me now: The correct
> thing to do is set umask 077 and chmod -R 700/home.

No way the correct security way is to have the hom chmoded 755 and the umask att 022 (or maybe 002, depening on your policy). Ofcource if you have no cooperation between your users and like web-servers, mail-servers and so on to run as root that maybe you should look down the security. But generaly I think that the gains by not having all the deamons with root permission wins aloot over having the directories locked down. That only give a safe privvacy feeling.

/ Balp

Re:Informed comments from a Debian Developer

[Balp]

Wrong your home-work is man 1 chmod
(Hint: It doesn't change the owner of the files.)

/ Balp

Question about the home directories thing

[Jaime+Herazo+B.]

We all know that go+rx is not a good idea, but as Kurt says, if you protect the userdirs (chmod go-rwx) the apache user directory behavior (the "go to http://our_server/~yourusername to see your webpage" thing) breaks.

Is there a safe workaround? i mean, i have here a computer room for a school with 270 users that want their homepage to show up, even if it's internal -we have one dialup for 12 computers and no money for a bigger connection or more PC's :( - Is not like they have top secret documents, but...

BR> -you mean that if i were root, i could get all the passwords?

Re:Question about the home directories thing

[antifuchs]

Simple, crufty, working, dunno-if-it's-secure, straight-from-the-cookbook Solution:

1. go-rwx all homedir incl. subdirs/files
2. o+x the home directory itself.
3. chgrp www (or http, nobody or whatever your httpd runs under) the public_html dir
4. g+rx public_html and subdirs/files

Seems to work, but I dunno if there is a risk connected to it. Symlink attacks anyone?

--
this post was brought to you by Andreas Fuchs.

Re:Question about the home directories thing

[jcostom]

If the home dir is set to mode 711, and their web directory (public_html, or whatever your configuration calls for) is set to 755, you'll be fine.
--

Re:Question about the home directories thing

[QZS4]

This is for zsh, but bash should work similarly, I guess. Put it into your global zshrc. (No, I didn't write it, I just "borrowed" it...). It doesn't solve all problems, but some of them:

umask()
{
if [[ $# -ne 0 && $PWD != ~/public_html* ]]; then
_orig_umask=$1
fi
builtin umask $*
}
umask 077

chpwd ()
{
if [[ $PWD = ~/public_html* ]]; then
umask 022
else
umask $_orig_umask
fi
}

Re:Question about the home directories thing

[demon]

If another user knows the name of a file in your home directory, even if they can't list the directory's contents, they can still read/write/execute it if the file's permissions allow it. That's just a case where any "private" files needs to have their mode changed to prevent others from accessing them.

But of course, as others have said, don't expect complete privacy on a multiuser machine.
_____

Always do testing on your own?

[laetus]

This is the stupidest idea continually propagated by us geeks. I'm not flaming here!

Why should I have to continously check every new phrickin' software product I install for security problems?

This is analagous to everytime I buy a car, I've got to get under my car and inspect it's braking system, it's steering system, it's fuel system, etc. so the damned car doesn't send me and my family careening over a cliff or exploding on us.

For God's sake, this industry has GOT to start getting things right BEFORE they phrickin' ship. We need a Consumers Reports or UL type-testing system so the software user can reasonably expect they're getting a quality product.

Passing testing security off to the user is lame, lame, lame.

EMUSE.NET

Re:Always do testing on your own?

[Jaime+Herazo+B.]

You do realize that, at least with free software, we, the users, are both the testing base and the developers, do you?
BR> -you mean that if i were root, i could get all the passwords?

Re:Always do testing on your own?

[Sensor]

Well actually I did do that with my car - but on the other hand it is a 1976 MG Midget *grin*

Re:Always do testing on your own?

[MartinG]

And I suppose your car can't be broken into by a thief, and it locks and alarms itself whenever you leave it unattended without you having to think. Surely it automatically parks in a safer place if you leave it in an unlit back alley somewhere.

Is that the industries responsibility too? Perhaps you want brick-proof winshield glass as well?

Of course it doesn't explode of go off a cliff while you're driving it. Driving is its primary USE. Just like computer systems have a primary USE. It's ABUSE we are talking about here though and the "industry" can't cover everything. All they can do is their best. The rest is up to you.

If you think there will ever be a system you can install and leave and it will be 100% secure then it's only a matter of time before you are H4x0R3d.

Re:Always do testing on your own?

[Reggyt]

My car *DOES* that. I call him Herbie. The only problem is, when he decides to park somewhere safer in his judgement than mine, it takes me ages to find him.

IMO better to have all the responsibility for yourself than to share it and find that something you didn't expect happened because you thought it was covered elsewhere.

Re:Always do testing on your own?

[kaisyain]

Actually, my car does alarm itself automatically without me having to think. 30 seconds after I remove the key from the ignition the alarm will arm itself without me having to think.

Re:Always do testing on your own?

[sporty]

Whoa.. now as a programmer, I take some offence to this. We are only human. We make mistakes. You don't condemn the doctor who loses a patient because their best work wasn't good enough. Yes, you test and you test. If you could test infinitely, you'll have the 'perfect product', but sometimes, the rush to get things out is to fix more serious things. Sometimes releasing things out into the wild is because someone jsut didn't see the problem as it may be ever so subtle.

And you do have the undersides of your car inspected once in a while. They are called mechanics. They check the oil, if you pay them, rotate the tires. They do do maintenance for wear and tear.

---

Re:Always do testing on your own?

[richie123]

Well, ya, when you buy a new car you probably should check it's history to see if their are any major known problems with the car.

Re:Always do testing on your own?

[aonifer]

This is analagous to everytime I buy a car, I've got to get under my car and inspect it's braking system, it's steering system, it's fuel system, etc. so the damned car doesn't send me and my family careening over a cliff or exploding on us.

You mean you don't? God help us all.

Re:Always do testing on your own?

[pbryan]

> This is the stupidest idea continually propagated by us geeks. I'm not flaming here!

I have the sneaking suspicion that I am walking right into your flamebait trap... :)

> Why should I have to continously check every new phrickin' software product I install for security problems?

You are responsible for the security and stability of your own systems. Debian isn't a public service that you have some right to expect anything from.

> This is analagous to everytime I buy a car, I've got to get under my car and inspect it's braking system, it's steering system, it's fuel system, etc. so the damned car doesn't send me and my family careening over a cliff or exploding on us..

The United States does have laws that protect consumers from vehicle defects, but your braking system, steering system, and so on can fail if not properly maintained. Certainly performing custom hacks on your car is at your own risk.

If you want to ensure your family is safe, you'd better take some responsibility and do research before buying a car, and perform regular maintenance once you own it.

This goes the same with your computer system. New exploits are found all the time in software packages. The duty falls onto you to ensure your system remains secure and stable.

BTW, I seem to recall there was some comparison done between Windows and a car crashing every 50 miles? :)

and the point is.....????

[Lxy]

From glancing through the article, it appears that he's ranting about one basic thing... there is no perfect distro, and if there was, it isn't Debian 2.2. Big deal!! I have yet to install that "perfect distro" on my machine. I don't like things about Mandrake, Redhat, Slackware, and Suse. I think this goes on the same basis as a distro war.. certain distros do things better than others. So Debian didn't suit the needs of this guy. Install something else that appeals to you and move on with life.

"You'll die up there son, just like I did!" - Abe Simpson

About openness?

[YoungHack]

I realize that openness and security are always at odds, but I have always preferred world readable directories for convenience. Most of the generic files in my directory (.cshrc, .login, etc.) are files that a relative new person could learn a lot by perusing. I create private directories for the things I don't want to share.

I am probably a little more vulnerable because I don't close everything and open only what I want; but I want most everything open and I like the good atmosphere of it.

https being trusted?

[paranoidfish]

so you must somehow get the MD5 sums from a trusted host (https:// for example).

Since when does running an SSL webserver mean that it is trusted? All it means is that the connection is encrypted, not that the information is any good.

Normally I wouldn't nitpick about this, but in an article about security risks, you'd expect the distinction to be made. Ho Hum

Re:https being trusted?

[jcostom]

Presumably, you trust your OS vendor. They have been granted an X.509 certificate for the server you're talking to, identifying your OS vendor as the people you're actually talking to. You can verify this by examining the digital signatures on the cert. It should be signed by a CA that you both trust. That's just something that can happen "automagically" with SSL, so long as the apps enforce "the rules".
--

Of course I do.

[laetus]

Of course I do. But do you realize that not all of us run "free" distros and want to recompile our own kernels every other month? I was speaking of the general attitude that security rests with the user. Boxed distros/OSes and other boxed software was my target.

EMUSE.NET

Re:Question about the home directories thing (yes)

[baywulf]

"We all know that go+rx is not a good idea, but as Kurt says, if you protect the userdirs (chmod go-rwx) the apache user directory behavior (the "go to http://our_server/~yourusername to see your webpage" thing) breaks." The simple solution is to create a directory structure parallel to /home (say /www) with more open directory permission so the web server can read them. Then reconfigure Apache to read personal home pages from there instead of ~/public_html.

Re:Your karma recipe for today

[dstanfor]

Actually, I think about the best thing for your karma is to be the first to post a Karma Recipe to each new article on slashdot.

Some silly points

[TheCarp]

Ok...the umask is permissive and user home dirs have read and execute bits by default. All this means is that users need to be carful. I have no problem with that....thats not a real security flaw. Its just something that the author doesn't like.

MD5/crypt passwords. Yup ok thats kind of a silly default these days. Of course IMHO crypt is good enough. An attacker practically needs to compromise root just to get the shadow file anyway!

Lilo is setup to allow command line options. Yea so? Doesn't that make sense after a first instal? Exploiting it requires physical box access, at that point 99.9% of machines can be compromised by throwing a root disk in the floppy drive and hitting cntl-alt-del anyway. Besides....after a fresh install you may want that, lock it down after its working right!

Face it....ANY system, out of the box, needs to be secured.

As for Apache....he complains that it being 1.3.9 rather than 1.3.12. Well Debian has been in freeze for a while. That means "NO NEW CODE", unless there is a security fix. Is that apache upgrade a security fix? If not, then its right to not ship it.

PROFTPd, no clue, would have to ask the maintainer as to why it wasn't done. A look at the Debian BTS shows a root compromise bug fixed...perhaps they just patched the problem in the old version. That way fixing the security issue without introducing any more NEW CODE than is absolutly needed (it was during a freeze).

This is probably the case for several other deamons. He should check and make sure that the system is actually vulnerable before he goes around reporting that it is. Of course without a complete list of which "insecure deamons" he found, its hard to refute is claim that there are "lots".

As for xchat...no clue. I don't use it. Looking through the bug report logs now, I don't see any bugs mentioning this, perhaps noone reported this bug that he is complaining about. He could I dunno, report the bug! What a concept.

> Debian has also ignored a lot of work other
> vendors have put into making their distributions
> more secure.

Eiither that or some author has completely ignored changlog files and bugreports...and feels the need to fault the system for not having the defaults that HE likes. Not like they arn't changeable.

Re:Some silly points

[TheCarp]

While true....its not all that big of an issue.

Again, you need password hashes to crack before you can begin cracking them. Getting them is usually harder than cracking the box in other ways.

Users still wont use secure passwords. You try to force them to, and they will just write their password down under their keyboard.

Yea MD5 passwords are MUCh better. However they are NOT a huge deal. The majority of attacks do not come from someone getting a copy of the shadow file.

Besides...it was just a defult anytway...changing th esystem to use the MD5s is trivial. I did it, my systems use them.

Bottom line: If you don't want to use crypt, don't. It is silly to criticize debian for giving you a choice! It is, afterall, a choice.

--Steve

Re:Some silly points

[TheCarp]

Which as I remember is because OpenBSD comes with everything turned off. Meaning that you install it...now you have to go through and enable shit and turn things on.

From the installing admin POV, there is little difference between installing a system and locking it down...and installing a completely locked system and opening it up. Its going to be the same amount of work either way, and either way its something that you have to do. (or at least you better believe that you have to do)

I dunno...im all for letting people be lazy and shoot themselves in the foot...afterall if thats what you want to do, thats fine.

-Steve

Simple equation.

[xonix7]

As for the basic services, some of them actually come in pretty handy. Sure, you don't want to allow them to be misused, but there's quite a simple solution for that.

Under Linux 2.2.x, you'll use "ipchains" to block off the ports these services are running on to all but your own trusted hosts. You should also block off any packets claiming to come from non-routable adresses and other suspicious stuff. This way, you don't actually need to disable any of your services, you can simply block off the ports they run on.

The need for security at all is worrying to some, though, including me. Because it means that we are losing touch with ourselves - with the essential goodness of the universe. That security in other forms (non-digital) has been around for thousands of years is no license for teh behaviour of mistrust security demands - neither, however, is the non-use of it license for abuse of the trust shown by the individual in question - no, if we are to be one - with ourselves, with eachother....

This can simply be explained by explaining the universe itself - not all of the universe, but a vague conceptualization of it, and how it - in part - relates to to the parts of us that come into play when thinking about things that make us need security - alienation from fellow human beings, the thought that something deceptive is running through our minds, our souls. This is the algorithm.

DIM b AS Integer

DIM Universe AS Integer

55:

b=0:IF b=0 THEN

DO

b=b+1

Universe=b+2

IF b+0=Universe THEN GOTO 55

Re:Simple equation.

[Samus]

Your algorithim sucks. IF b+0?

"What are the three words guaranteed to humiliate men everywhere?

Re:Simple equation.

[kootch]

no offense, but I disagree with your signature.

Italian men as well as many europeans men carry large "wallets" that could be called purses by americans.

many english actually call a wallet a purse.

also, did you ever see the Seinfeld episode about the male purse?

Secure by default?

[pointwood]

LinuxPlanet has a pretty good article about the default security in all or most Linux distributions here.

It is about the lack of default security in most distros.

Why is it that most distributions isn't made secure by default? (like OpenBSD, which I have heard is pretty secure by default)

Is it convinience? (just turn on "everything", then the user don't have to bother with starting any services)

I know that you can choose the security level when installing the Mandrake distro - does anybody know how secure it is if you choose "paranoid" (the most secure), or which level you have to choose to make it pretty secure by default?

Re:Secure by default?

[buffy]

Yes. It's to make the default installations convenient to a novice user, or one who doesn't really care. I believe that it's expected that a user past that point should be able to make the simple modifications necessary to close down a few services--it's one of the first things I figured out how to do.

Same with RedHat to me

[Pflipp]

I have been using Debian, but use RedHat now. And I can still recognise each and every security complaint in this article.

- /home/*/ is world readable. Well, I remember that this was part of Debian's philosophy of an open system; almost all files in a Debian install are world-readable. Please don't ask me why - I can only recall reading that it was part of their philosophy. But it is, at least practically, the same with RedHat; because they also use /home/*/public_html for the ~* Apache directory. So if you user dir would've been rwx------, you would change it to rwxrwxr-x yourself just to be able to have a website of your own. At least I did in my ignorance, and let that be a proof that other idiots will do this as well. BTW, I have access to an OpenBSD machine, here also all files are world-readable.

- inetd and daemons open. I am glad that this is critisized. Because Unix is so proud of its connectivity etc., it often wants to show off that running a lot of connectivity apps by default is "standard" and "normal". In my RedHat inetd.conf, there are a whole lot of things open that I've never even heard of, but of which I don't know what will happen when I switch them off. And the daemons... well, don't speak about the things RedHat 6.0 launches ;-) This attitude needs changing.

- The signed packages thing has luckily become an issue with Debian. But as shown, AFAIK, you have to check for signs in RedHat by hand. It would have been better if somehow you package system detects the problems and alarms. Now THAT would mean something. But the trust we have in automatic upgrades makes us very vulnerable, indeed.

BTW, it's funny how -x works for a directory. I never knew. Actually it works kind of strange; you can list all files, but you cannot have any further information on these files (e.g. ls -l). You can't delete the dir. Strange. Should't -w and -r have a little more logical effect? In other words, what's the special use of -x?

Greets,

Stefan

It's... It's...

Re:Same with RedHat to me

[teg]

In my RedHat inetd.conf, there are a whole lot of things open that I've never even heard of, but of which I don't know what will happen when I switch them off. And the daemons... well, don't speak about the things RedHat 6.0 launches ;-) Red Hat Linux doesn't include inetd by default for workstation installs, and hasn't for a couple of releases - I think 6.1 may be the release this was changed. This attitude needs changing.

Re:Same with RedHat to me

[demon]

BTW, it's funny how -x works for a directory. I never knew. Actually it works kind of strange; you can list all files, but you cannot have any further information on these files (e.g. ls -l). You can't delete the dir. Strange. Should't -w and -r have a little more logical effect? In other words, what's the special use of -x?

No, the 'x' bit on a directory lets you execute (change into) a directory. If a directory is +x only, you can change into it, but you cannot list its contents. (If you know the name of a file and the user you're logged in as has read permission, you can read it.) The 'r' bit lets you list the contents (but by itself, won't allow you to change into the directory or access the directory's contents). The 'w' bit on a directory lets you modify the directory's contents (add a file, delete a file, rename a file, move files in/out). The 't' bit will restrict directory-write privilege to your own files.
_____

That's the best he can do?

[Greyfox]

Now I agree that there should be a distribution that installs reasonably securely by default for all the good it does since most newbies would probably go for RedHat these days, but come on...

First thing I do when I install a new dist is go in and fix the default brain damage -- disable all servers (Bind, sendmail, Portmap and FTPD being absolutely evil in my book) install some secure stuff and continue. Now a newbie woudln't know to do this but a newbie won't be able to keep his system secure anyway. Which brings me to point two.

About half the stuff he gripes about assumes you have users. For most Linux installations, if you hand out accounts, you may as well be handing out your root password. Do this sometime: "find / -type f -perm +6000 -exec ls -al {} \;" and count up the setuid files. Now ask yourself how many of them NEED to be setuid. How did you do? Half? Less than half? Distributions hand out setuid bits like haloween candy. Does all that crap need to be setuid? NO! And if you're wondering why setuid bits are bad and you've handed out accounts on your system, you've probably already been taken over.

Re: Netscape: I always turn java and javascript off by default. Not only do I not trust the langauges, but the browser is much more stable without them (Especially Java. Netscape with Java enabled is satanic, really.) 'Course I've pretty much completed my transition to Mozilla, too (With Java still turned off.)

Re: Dpkg: Cryptographic signing would be nice. Probably take less time to add than it did to write this article (Or this post for that matter.)

As for physical access, if you really want to be sure, install encrypted filesystems, because if someone's broken into your house or office with the intent to rifle through your computer, he'll have brought a boot disk and a screwdriver so he can jumper your bios back to its default settings, too.

Personal quibble, chmod go-rwx /home/username? What UNIX god doesn't use the octal numbers, saving themselves 3 keystrokes (chmod 700 /home/username) in the process?

Re:That's the best he can do?

[scheme]

Do this sometime: "find / -type f -perm +6000 -exec ls -al {} \;" and count up the setuid files. Now ask yourself how many of them NEED to be setuid. How did you do? Half? Less than half? Distributions hand out setuid bits like haloween candy. Does all that crap need to be setuid? NO! And if you're wondering why setuid bits are bad and you've handed out accounts on your system, you've probably already been taken over.

I tried your experiment on my redhat system and found only 34 suid files. 12 of those were actually had the sticky bit set on the group so they only changed gid, not uid. Of the remaining programs they consisted of either security wrappers like Xwrapper, pt_chown or programs that need suid to work gpasswd, chfn and friends, su, mount, umount, etc. or daemons and safe programs that need it at, ssh, crontab, sperl, suidperl. The only questionable choices I found were ping, traceroute, and usernetctl but ping and traceroute don't work with out suid and usernetctl is small (

Incidentally as others have pointed out, RedHat has changed to not installing inetd when you choose the workstation config and I believe they closed off a lot of the open services in their default inetd.conf

Re:That's the best he can do?

[divec]

Personal quibble, chmod go-rwx /home/username? What UNIX god doesn't use the octal numbers, saving themselves 3 keystrokes (chmod 700 /home/username) in the process?

There is a subtle difference between the two types of command: the latter is like the former with an implicit "chmod u+rwx /home/username". In this case they're probably the same, but it's no bad thing to be in the habit of using the former cos sometimes it is different.

Re:That's the best he can do?

[mithrandr]

just a couple of points about the files you listed. Keep in mind that this is for my home machines where I am the only user. I remove the suid bits from mount and umount, because I am the only one that should need to mount drives anyway. If I start giving out accounts on my home system, this is something I won't have to worry about then, as it's already been taken care of. I don't use at, so I disable it, if an exploit does happen to come out, I don't have to worry about patching it right away, but it's still a good idea to do so. The same thing goes for gpm, I don't use it when I'm in console mode, so when that exploit came out a couple of weeks ago, it wasn't a major concern.

The Bastille hardening script for RedHat based systems has the option to remove suid bits from ping and traceroute. It doesn't break them, you just have to be root to use them. There are debates about whether or not regular users should have access to tools such as ping and traceroute anyway, and it's likely I won't be the one to end the debate, but I prefer on my own machine to limit it to root. After all, I am root, and if I give out an account to a friend, he can just as easily run ping from his own machine. if you want to give permissions to some people and not others, sudo is extremely easy to install and configure and works great for limiting su access to specific users for specific applications.

Once again, a lot of this was learned from experience, I spent time using the system and learned what I need and what I don't need, and now I know what comes enabled and how to disable it shortly after install, before connecting to the Internet. This doesn't mean every vendor should ship their systems to my specs, after all, I'm a nobody and really have no say over what vendors put in their OS.

One thing I don't agree with is some of the default behaviors of certain parts of the OS. For example, a friend of mine got cracked with one of the latest wu-ftpd exploits. The attacker added a user with uid 0 and removed /etc/securetty. I don't know if you know what this does, but the default behavior is that if securetty doesn't exist, rather than restricting a root login (especially a remote one), it compalins that it can't find the file and then lets the user login anyway. For this, I would prefer the default behavior to be something more along the lines of "if /etc/securetty doesn't exist, don't let someone with uid 0 login anywhere." Even if the administrator accidently removes securetty, if they were security conscious, they would have created a non-root user, and nothing would stop them from logging in as an unpriviledged user and su'ing to root to fix the securetty file. Of course, the whole incident stemmed from him running an insecure ftpd that he didn't even need.

I don't know how many other examples there are of insecurity like this, I mean it's probably something someone just over-looked. I'm not a kernel developer, I'm trying my best not to throw stones, as I realize the kernel hackers and OS people are lightyears ahead of what I can do, but as a user, it's those kinds of things that worry me. disabling services is something I can do, re-writing the kernel or the os, I'm not quite to that level yet...

point by point rebuttal

[opus]

(1) "Defaulting to one partition."

Last time I installed Debian, I had to use fdisk to set up partitions, but maybe I just selected the advanced option. I dunno.

Anyway, unless the machine is a remote syslog server, this opens you up to (at most) a "local denial of service attack". And the only way to deal with those is with a baseball bat.

(2) Crypt instead of MD5 passwords.

The only advantage MD5 has over crypt is that you can chose passwords with more than 8 characters, and a larger salt to make dictionary building harder. Lousy passwords are lousy passwords, no matter how you hash them. And good passwords (8 characters, including non-alphanumerics) are good, even when they're hashed with crypt.

(3) Services in inetd. (discard, daytime, rsh, etc.)

Yeah, these should probably default to off, but none of them are security problems in and of themselves. It'd be nice to ship with openssh, but they can't do that until Sept. 20 when the RSA patent expires.

(4) dpkg not able to check signatures.

This is your one legitimate point.

(5) Home directories world readable, umask 022.

No real security problem here. If a user wants to hide something from prying eyes, they should learn about permissions, or better, how to use cryptography. In general, you shouldn't expect anything on a multi-user system to be private.

(6) LILO.

To "exploit" this, you'd need physical access, at which point the attacker could just as well boot off a floppy. If an attacker has physical access, the game is over.

IMHO, they shouldn't have even bothered with using "sulogin" when entering single user mode.

(7) Apache and ProFTPD versions.

Okay, Apache could stand to be updated, but the cross-site scripting hack is hardly a major security problem.

And your statement about ProFTPD 1.2.0pre10 being exploitable is just plain false! It's ProFTPD 1.2.0pre8 and earlier that have known root exploits.

IMHO they should be using the OpenBSD ftpd by default, but at least it's not wu-ftpd ("Providing remote root since 1994!"), which is the default ftp daemon on RedHat.

In general, I've found that Debian releases security patches just as fast as RedHat and SuSE, slightly quicker than Mandrake, and way quicker than Turbo and Caldera, which run about a week behind.

And the convenience of apt makes getting the security fixes much easier than trying to find a RedHat mirror that's both up-to-date and not completely overloaded.

Re:point by point rebuttal

[disappear]

(5) Home directories world readable, umask 022. No real security problem here. If a user wants to hide something from prying eyes, they should learn about permissions, or better, how to use cryptography. In general, you shouldn't expect anything on a multi-user system to be private.

Right. So let's screw all the newbies, then tell them they should have known better.

IMHO they should be using the OpenBSD ftpd by default, but at least it's not wu-ftpd ("Providing remote root since 1994!"), which is the default ftp daemon on RedHat.

Of course, on the last remote root exploit just the other week, OpenBSD's ftpd was every bit as affected as wu-ftpd...

Re:point by point rebuttal

[sjames]

Right. So let's screw all the newbies, then tell them they should have known better.

Debian is mostly targeted at experianced Unix users. A newbie who wants to set up a home system should do some reading first, ask a more experianced friend to help out or start with a more newbie friendly distro. Most do the latter simply because they base their purchase on advertising.

Re:point by point rebuttal

[IkeTo]

Agreed with most, except this...

> (6) LILO.
> To "exploit" this, you'd need physical access, at which point the attacker could
> just as well boot off a floppy. If an attacker has physical access, the game is
> over.

To perform the attack suggested by the article, you only need physical access to anything that can cause a reboot (e.g. power switch, or a keyboard configured to honor the three-finger-salute) plus a keyboard. On the other hand, to adminstrate anything that you, or others who argue on the same line, suggested, you have to get physical access to other hardware like floppy drives (which might well be absent from machines configured for public use), case of machine (probably locked in safe place) and so on. Why is it always said to be "false sense of security, if the change of config file at least allow the keyboard and monitor to be safely exposed to the public?

Re:point by point rebuttal

[Balp]

> Right. So let's screw all the newbies, then tell them they should have known better.

The security downside of a harder home-directory protection may actually well be bigger that the small gains.

Re:Home directory permissions

[DrXym]

Dumb dumb dumb.

If something is really secret then encrypt it but most users including myself have plenty of files kicking around our home directories that can't encrypted but should still be inaccessible to nosey users.

For example all of the standard resource files, .profile, .bashrc, .bash_history, .newsrc etc. can't be encrypted/decrypted since software needs to read them.

Re:Your karma recipe for today

[arthurs_sidekick]

Or, as has been the case, point out that the article was poorly researched ... but then, that requires actually knowing how Debian does things, doesn't it? Obviously they spent all that time between releases doing something ...

Bullshit

[segmond]

Bullshit!

I have never used Debian, but I run Slackware, Suse, Redhat, Solaris, Free|Net|Open BSD, HPUX, la la la.
But this article is full of shit. Default Installation is not a security hole. Calling / partiton
and swap partition a weakness cuz they are default is just wrong. Most people using linux today, are
single users. Anyone smart enough to be setting up linux for multiple users is usually smart enough
to partition the drives easily. The default password is crypt? How is this a security hole? This has
been the default, and I will really be ticked off if it was default of MD5 or some other better scheme.
Unless the Unix community adopts a new standard, crypt should remain the standard, Solaris, HPUX, they all
use crypt, not MD5. Default internet services are enabled, again this is nothing new, sure they should
be disabbled, but still, can this goon tell me the security holes in them? It is very amusing that he
mentions that gnuplot needs to be installed setuid root. Has gnuplot being audited for security bugs? How
can he make such stupid comments? First of all, there is X version of gnuplot, and I believe that is what
a user who needs to use gnuplot needs it for. No suid needed! Exim (if configured during install) gives
you the OPTION to use the RBL. What is the freaking problem? It gives you the option, if RBL is not working,
you have the option, and Exim is not debian. It is a package. Home directorys are mode 755 by default and
the default umask is 022, what again is the freaking problem? The only valid point I see him making is that
dpkg does not have a signing support. He blahs about LILO, if someone has physical access to your box, you are
owned!!! unless you are using crypto filesystem. Now, if he has bothered to check the CHANGELOGs he will notice
that security patches have been applied. This is a troll article.

What REALLY should happen...

[mcrbids]

From here, it looks like those guys at Debian should be ground up and sold for fertilizer! It's obvious they know NOTHING about Linux and are just masquerading as "security experts"...

Anybody have some white masks and torches?

(sounds *fun*, eh?)

-Ben

Kurt is a reporter, so the answer is 'yes'

[arthurs_sidekick]

So if I want to know the security level of each and every program in Debian, I have to read night and day and have to know which patch adresses which flaw? It's ok (VERY ok) that those pathes are included, but it's also confusing (very confusing I might say

The comments to which you are replying are directed at a journalist writing to inform others about security issues. If you're a journalist, yes, in fact you should read the CHANGELOG instead of simply thinking "hey, default apache 1.3.9 had security problems, therefore Debian's 1.3.9 must have them and running with that.

As a supplement to providing yourself with information, it's not like Debian's package maintainers don't use email, it sounds like the author simply went ahead with his 'scoop' without contacting the principals for their take on it. Such 'ambush' tactics are unprofessional, and obviously, in this case, they backfired.

It's no crime to call the author on this sloppy journalism.

Re:Kurt is a reporter, so the answer is 'yes'

[plankers]

How much work is it to just update the package to the latest version anyhow? Sure, some things change, but when it comes right down to it, people want to look at a machine and say "Yes, I've got Apache 1.3.12, and I'm safe" rather than digging through the bug reports for obscure information. Upgrading Apache to 1.3.12 from 1.3.9 isn't such a big deal, and ProFTPd from 1.2.0pre10 to 1.2.0rc2 is even less of a big deal. When there's a new release of software there are other bugs fixed and rough spots cleaned up that don't make it into the changelog, either because they're perceived to be trivial, the changelog entry is forgotten, or the author is embarrassed that they were there to begin with. People will pick the Linux distribution that they have to mess with the least to have a working system. If people perceive Debian to be out-of-date (and it would seem that way) they won't install it, just like a Red Hat fan wouldn't install Red Hat 5.2 or 6.0.

Re:Kurt is a reporter, so the answer is 'yes'

[arthurs_sidekick]

Fine points, but they don't relate to the issue I was discussing, which is that the article made claims based on insufficient research. My understanding is that the sort of backporting going on here is SOP for Debian.

Re:Kurt is a reporter, so the answer is 'yes'

[sjames]

How much work is it to just update the package to the latest version anyhow? Sure, some things change, but when it comes right down to it, people want to look at a machine and say "Yes, I've got Apache 1.3.12, and I'm safe" rather than digging through the bug reports for obscure information.

It's VERY easy to update to the latest and greatest. The problem there is that then you'll be distributing reletivly untested packages with various unknown security flaws in them rather than one where you have patched against flaws in a well tested version.

In other words, updating a package (Debian or any other package) involves about 5% work to put the package together and %95 to make sure it's at least no worse than what you have, including broken dependencies, silent loss of data, and gaping holes in security.

Many people ALREADY perceive Debian stable to be out of date. They can either use another distro or load unstable (Currently Woody). Others use Debian stable in production because it is WELL TESTED. For a busy ecommerce site do you want the latest of everything, or proven reliable stuff that's a bit older?

Besides that, new versions come out DAILY! Nobody can release a new distro every day!

Re:Kurt is a reporter, so the answer is 'yes'

[Frodo]

Well, I somehow feel that having a stable distro with packages of half-year old is a bit pointless. That's not daily. Apache 1.3.12 was out in February - that's half a year ago. And 1.3.9 is a whole *year* old. Are you sure all the users want to use year-plus old software? And don't talk "unstable" - because when users come and say "your unstable doesn't work", developer's responce will be "that's what you expect from unstable, wait another year or two when Debian 2.3 is out or piss off". I don't really see a point in such release schedule. Why the heck you need that stable if it's so old you should upgrade to unstable anyway?

And then, why the heck should I believe that Debianers backporting 1.3.12 changes to 1.3.9 did better job than Apache developers that put it in 1.3.12? I see here only additional layer, meaning additional space for bugs.

Re:Kurt is a reporter, so the answer is 'yes'

[Jason+Earl]

You have hit on one of the few problems with Debian. Stable is too darn stable, and unstable sounds bad.

Personally I simply run stable with a few packages from unstable (PostgreSQL for one) that have packages that I know are solid upgrades. This sort of thing is trivial to do with Debian Linux. It involves changing one line in /etc/apt/sources.list and then run apt-get update apt-get install and then changing /etc/apt/sources.list back.

The Debian project is also adding yet another distribution that will be somewhere in between stable and unstable.

I can understand your response to Debian backporting patches. I mostly agree. It would probably be easier for all concerned (less wasted effort) if they just upgraded to the newest stable version. As for Debian developers telling someone to "piss off" when they find a bug in unstable, clearly you have never used Debian, nor their bug tracking system. Most developers actually use unstable, and they are VERY interested in making sure that it works.

Re:Kurt is a reporter, so the answer is 'yes'

[jmalicki]

You're forgetting that WELL TESTED is VERY different than proven and reliable. WELL TESTED usually means DISproven. For example, between apache 1.3.9 and 1.3.12, many bugs were fixed. Were huge new features added? no. Were lots of non-security related bugs that would help keep your website from being more stable and reliable fixed? YES. All Debian is doing in this case is refusing to release bugfixes. True, these could possibly introduce new bugs. But this is fairly unlikely.

Great anolog

[Felinoid]

Yes you should check over a car your going to buy.
It's even more importent when buying used but it's importent for new cars as well.
Mass production is not perfict and defects happen.
It is quite posable for there to be minnor damage like a leak in the break line.

Do we all check our cars for such defects?
No... we don't... We buy expecting to get what we are sold. A new car. If a defect shows up in warrenty we take the car back.
People play the same with software... Take the risk and watch for bug fixes...
If you absolutly must have a stable machine then you absolutly should check it over yourself.
If you must have a car in perfict condition you don't have a choice...

It's something for the paranoids... if you don't care don't bother...

sudo

[BlowCat]

sudo is more flexible than su

Re:sudo

[Tower]

True, sudo is, but there's times when you need to be root for an extended period... 'sudo /bin/sh' doesn't seem all that reasonable, and typing sudo before each command doesn't either. sudo is great for a limited set, but when you *are* root, sometimes you need to be root, not just behave like it.

--

Re:sudo

[JeffGreen]

Sudo is of course a total security disaster. After someone has managed to pinch a password and login they now have the ability to become God without doing any further work. If sudo demanded a different password it would be a big help, otherwise...

Re:Your karma recipe for today

[Enoch+Root]

You obviously haven't been looking at the net moderation done on my karma recipes beyond the first one...

My point of view

This guy is obviously impartial; for example, he says that default is DES and, because he prefers MD5 to DES, debian would not be secure? Backward compatibility is important, DES is not that trivial to crack, and /etc/shadow is not supposed to be readable, but whatever: you're god damn prompted about this during the install!

In the top of that It looks like he doesn't not know much about debian, and the concept of freezing a developement tree (cf. his daemons paragraph).

In my opinion, the only valuable issue he raised, is those daytime, etc... ports opened by default. I think inetd and portmap should be in separated packages so that I can dpkg --purge inetd portmap right after the install :-)

I'm using a woody at home, and It look likes they're working on it, netbase is being split into several packages.

Re:Reaction from an outsider (to Debian)

[MrEfficient]

Oh, very professional...

Profesional? What does that mean? Due to the various ways which I've seen that word used, its lost all meaning to me. You mistakenly believe like so many others, that being professional is about appearance, whether that be dress or speech. Being professional should be about actions, outcomes, performance. Just because he used the word bullshit doesn't mean he's not professional, in fact it has nothing to do with it. I'd trust someone who uses the word bullshit as he did before some of the suit wearing, smiling bastards I've know who call themselves professionals.

So very OT...

[CNPOS]

"Update: 08/30 01:44 PM"

Now that's very interesting. It's been a while since I've trolled, but please, someone clue me in here.

Is Hemos posting from the mid-Atlantic? Is the /. Cruiser an Andover funded time travel project? Did I ingest more than my usual amount of hallucinogens with my cheerios this morning?

Its way too early in the morning to be expected to deal with this kind of S.

F .sigs

Re:Reaction from an outsider (to Debian)

[Fluffy+the+Cat]

Question: do you have to check the Debian changelog for every package you install to make sure they're all secure? Isn't there an easier way?

Sure there is - you assume that your OS vendor knows what they're doing. Debian 2.2 was frozen for several months, during which they've had ample time to fix things. Unless you have reason to believe that they're incompetent, and in the absence of any security advisories telling you to upgrade a package, it's probably safe to assume that the problems have been fixed unless you have evidence to the contrary.

Now, in the case of somebody writing an article about a product, the onus is upon them to check their facts. The changelog is the obvious place to check them. What would you prefer Debian do?

Strange expectations from authors

[Lumpy]

Why is it that Linux is expected to be 100000% secure out of the box, while MS products are expected to be 10000% Un-secure in the same light?

WTF is in the heads of reviewers? Debian has some issues... while any script monkey can remotely bsod any NT box from a fresh install.

Cripes, from their own statements of concern, Windows products should not be installed due to the instability and security holes!

Besides, when has ANYONE ever met a journalist that knows more than a pittance about what they write about?

*nix users

[MarNuke]

Now.... the average user is not going to just realize (he|she) needs to go to these places or that these things are even insecure..

The "average" user doesn't use UNIX. The "average UNIX user" knows at least "something" about security. When you first start using UNIX the first thing you find out about is security. Once they know something about UNIX, they start reading some type of document on how to secure a box.

Most of the time, these documents, tell the user to do eveyrthing that Kurt complained about.

MarNuke

Re:*nix users

[Samrobb]

Increasingly, the "average" user is using UNIX, or at least being exposed to it. The problem is... how do you learn something about UNIX, if you don't know anything already? As has been pointed out, documentation (installation guides, bug reports, security vulerabilities) are fragmented; quite frankly, there is no way that a new Linux user can set up a secure system, because existing distros are all installed with certain well-known insecurities.

If you think that's untrue, consider someone with a new computer and a copy of RedHat/Debian/whatever, who get's told that all this wonderful security information is available on the net. In order to gain access to it - and read about how to secure their system - they need to install an unsecure system. Of course, this isn't the reality of the situation - most new users aren't aware of security resources on the net, of course, and nobody thinks to mention them to newbies, because, after all, everybody knows about them, right?

If there was a bug in login that allowed someone to gain root access to your system if a common file (installed by default) existed in /etc, there would be no question - this is a security flaw, and it must be fixed. Saying "Everyone knows that's a problem - if you really know UNIX, you just make sure you remove that file after you do an install" wouldn't cut it.

The same holds true in this case; installing services - like sendmail - that have blatantly stupid default settings and open up a box to potential abuses, just because "everyone knows" that you need to change the default configuration to prevent it, isn't an answer. The systems should install locked down tighter than a miser's wallet, and require a user to gain knowledge in order to expose new capabilities.

Re:*nix users

[D2Deek]

The same holds true in this case; installing services - like sendmail - that have blatantly stupid default settings and open up a box to potential abuses, just because "everyone knows" that you need to change the default configuration to prevent it, isn't an answer. The systems should install locked down tighter than a miser's wallet, and require a user to gain knowledge in order to expose new capabilities.

Debian's sendmail package does not ship in a condition like you suggest. Hell, it doesn't even ship as the default MTA. Exim has been the default MTA since before 2.1 shipped (previously, the default was smail). You only get sendmail if you ask for it, and even then it isn't in an insecure condition.

Likewise, the inetd package's post-install script asks you if you want the "offending" lines commented out for you, recommending "yes", and defaulting to "yes".

Commenting out those lines aren't security measures, either...there have been no discovered security flaws in chargen and friends, and there's not really any reason to think there are any in their code...it's an anti-DOS measure, to keep people from being able to make you flood yourself off the net.

Re:*nix users

[MarNuke]

Increasingly, the "average" user is using UNIX, or at least being exposed to it. The problem is... how do you learn something about UNIX, if you don't know anything already? As has been pointed out, documentation (installation guides, bug reports, security vulerabilities) are fragmented; quite frankly, there is no way that a new Linux user can set up a secure system, because existing distros are all installed with certain well-known insecurities.

The last time a check the "average" computer user is still using windows and still have no idea about running a server or a service. A UNIX workstation is not a desktop. It runs a services. Even X11 is a server. Everything is a server. Anytime you have a server, actions should be taken to make it secure.

Sure, a user who is sick and tried of windows may move to Linux, but have that user ever run a service? Most likely the user hasn't. They have no clue about services. Then they really shouldn't be running a server, but we want people to use UNIX. So maybe when should have a tight distro, totaly secure.

One problem is comes with that is even if you include a 100 page book stating everything that should be done about securing a box, most people will toss it aside and read it when they feel like and most of the time it's when they hack been hacked or think they might have been.

The second problem, they want to use their new found services, they want to have a web server, or a DNS server and don't want to go through all the crap about setuping the proper permissions or go through the hassle of chroot'ing a user into a dir.

Of course there is no excuss for poorly written programs.

If you think that's untrue, consider someone with a new computer and a copy of RedHat/Debian/whatever, who get's told that all this wonderful security information is available on the net. In order to gain access to it - and read about how to secure their system - they need to install an unsecure system. Of course, this isn't the reality of the situation - most new users aren't aware of security resources on the net, of course, and nobody thinks to mention them to newbies, because, after all, everybody knows about them, right?

It's true, but you don't leave all the lights in your house on do you? no, of course not, why? Becuase your power bill will go through the roof. Does everyone know this? Everyone but the people that look at the bill. See my point? It's just common knowleadge to turn off what you don't use. Maybe we should echo to the screen: "Hey, you don't need $process, you might want to trun it off." every few minutes.

Naw, we give *NIX user enough faith to make choices on their own. Nothing is stopping a *NIX user from finding a document stating how to secure a box and it's up to them to find the info.

The same holds true in this case; installing services - like sendmail - that have blatantly stupid default settings and open up a box to potential abuses, just because "everyone knows" that you need to change the default configuration to prevent it, isn't an answer. The systems should install locked down tighter than a miser's wallet, and require a user to gain knowledge in order to expose new capabilities.

Yeah there is something like that, it's called OpenBSD. What I think you are saying is: people who don't know, should be protected from the danger they might get into."

Marnuke

Re:*nix users

[Samrobb]

I've never run Debian - I have to admit, it looks really attractive, so it may be my next box sometime RSN - so I'm willing to take your (and others) assertions that Sebian doesn't do anything this brain-damaged. There are distros that do... though, for the most part, they are becoming increasingly admin-friendly, instead of assuming that you'll be running a system wide-open in a completely trusted environment.

The above rant wasn't particualrly directed at Debian, but at the assumption that people are not just rational, but almost self-abusively logical - that is, that they will bother to learn exactly what sendmail does before installing it; and that they have the tenacity to keep on searching and asking questions even in the face of "RTFM" and "You don't know that? What the hell makes you think you're competent to even touch a *nix system, you flaming Windows luser!" reponses on mailing lists and newgroups.

Flaws in Linux as a Whole...

[d.valued]

I am reminded of the interview with the OpenBSD.. or was it NetBSD.. One of the BSD derivatives. Maybe BSDi... Don't recall the flavor, only remember the guy who started the effort to lockdown BSD for hardcore server use. He said that he main problem with the 'many eyes' approach Linux claims is that not everyone looking at Linux source is a security or programming expert.

Hey, I love Linux! My bigrig and laptop both run it. I just don't trust my server to it... as is.
(The suse_hard script in SuSE 6.4 does a pretty good job locking down the system. Tried it at H2K.. No root cracks.)


"And they said onto the Lord.. How the hell did you do THAT?!"

Re:Flaws in Linux as a Whole...

[Boolean]

That was Theo DeRaadt, he started off on NetBSD then went started OpenBSD for various reasons. I think his idea is a good one, it's true, sure make the source open but don't make it a part of the official OS unless it's good. Linux has a lot of good things in it, but it also has a lot of crap because of this 'many eyes' philosophy.

If you think you know what the hell is going on you're probably full of shit. -- Robert Anton Wilson

RBL

[jaa]

does anyone have any more info on the status of the RBL? The author says RBL hasn't been working properly since 8/10. I find no references/complaints about that on Deja (which strikes me as odd, if there really is a problem). I use it on our mailer, and haven't seen any problems. There isn't any news posted on the RBL site. FUD?

Re:RBL

[Buddy]

The author says RBL hasn't been working properly since 8/10

See: http://www.mail-abuse.org/rss/how.html:

The RSS zone used to have TXT records. It currently does not have text records, as of August 2000. They were eliminated because the zone file is growing rather large. This affects Qmail users who utilize rblsmtpd to check the RSS list, as the previous instructions relied on the existance of TXT records to function.

I'm not sure if or how this affects Exim users (as Exim is the mail server Kurt refers to), and it's not the RBL. For me, RSS hasn't been functioning properly since (about) 8/8.

Automatically getting all the security fixes

[Carl]

Maybe this is not done by default, or maybe it is not documented clearly enough but please always add the following line to your /etc/apt/sources.list:

deb http://security.debian.org/ potato/updates main

And run apt-get update && apt-get upgrade at least once a week. Then you will always have all the latest security fixes (such as for xchat and ntop this week).

Re:Automatically getting all the security fixes

[Eladio+McCormick]

Actually, you probably want that line to be:
deb http://security.debian.org/ potato/updates main contrib non-free

There might also be a line for the non-us collection, but I can't remember what it was right now.

OpenBSD's ftpd

[opus]

Ironically, however, the linux port of OpenBSD's ftpd was not vulnerable, because linux doesn't have proctitle, which is where the vulnerablity lay.

And IMHO, a world readable home directory is good for new users in a multi-user environment. That way, they can ask their colleages for help when they screw their .profile up, instead of bothering the overworked sysadmin.

At any rate, it's not a security problem.

Re:OpenBSD's ftpd

[Millennium]

Shouldn't assume no one will need help either; that's outright irresponsible.

The fact is, more users will need help than not for most situations. This isn't going to change in the foreseeable future. It's only responsible to set up the software to help the newbies by default, with an option to take off the "training wheels" for expert users.

Most coders seem to sometimes forget that we have a responsibility to our users to make the software as easy to use and learn as we possibly can. When we don't do this, we're screwing the vast majority of our users over big time.
----------

Professional

[planet_hoth]

[from www.m-w.com:]

Main Entry: professional
Pronunciation: pr&-'fesh-n&l, -'fe-sh&-n&l
Function: adjective
Date: circa 1748

[...]

(1) : characterized by or conforming to the technical or ethical standards of a profession (2)
: exhibiting a courteous, conscientious, and generally businesslike manner in the workplace

Re:Professional

[MrEfficient]

: exhibiting a courteous, conscientious, and generally businesslike manner in the workplace

This is obviously part of a PHB conspiracy. And besides, the word bullshit isn't necessarily uncourteous, unconscientious, or unbusiness like. Its all a matter of perception.

The reason I have a dislike for this word is or course, my boss. He loves the word "professional". He's a typical PHB. When I give him a report, he isn't concerned with whether the calculations are correct, only with how much higher or lower the numbers are than what he considers "normal". I'm more concerned with technical accuracy, function rather than form. Form will follow function.

Re:Professional

[ParrotDroppings]

In concert with the previous responder:

: exhibiting a courteous, conscientious, and generally businesslike manner in the workplace

Is this the place of work for you or him?
Not the word "generally" which IMHO says that it a frequent occurrance and not 'always' as you imply.

{squawk} Polly wants a Cookie!

---

Re:Professional

[MrEfficient]

Sir, you obviously hold great contempt for my enlightended world view. No doubt you are nescient and incapable of comprehending it. If it were up to me, you sir would feel the lash of the whip across your neck. I wish to have no further contact with a barbarous philistine such as yourself,

Your working boy,
Ted

warning, this post may contain sarcasm, which is known to cause absolutely no reaction in laboratory animals.

Gee, nice response, Ben.

[erat]

This is the exact type of nasty response that the Linux community is known for outside (hell, even inside) Linux circles. No matter how many times we all plea that people keep their cool, there's always someone who just can't resist blowing it.

Please, people, keep your cool when people say negative things about Linux stuff. I don't know why I'm saying it seeing as how very few people seem to hear it, but I'm saying it anyway. Maybe if some of us say it enough, the abrasive minority will start to listen.

You do all of us a disservice when you react like Ben. Yes, the review was misinformed. Yes, this Kurt guy didn't do his homework.

That's the press. If I had a dollar for every time I read a misinformed review of a Linux product, I'd have that MR2 Spider that I've had my eye on.

One day they'll "get it", but until they do we need to guide them a little. Flamage will get us nowhere. Be calm, and people will listen. We need to come out on top here, folks.

newbies

[ArchieBunker]

Thats not going to help the newbies who are running every service and go on irc and get 0wned in a few minutes. Why enable everything when the majority of people don't use them?

Debians use of Crypt vs. MD5, and security audits

[AIXadmin]

One poster who's post I lost track of pointed out that Debian uses crypt instead of MD5. Crypt is compatible with other Unix's. This would provide a easier time migrating passwd files, and shadow files. Second, isn't MD5 just a checksum algorithim? I mean why not use blowfish which is actually meant to encrypt something. With little processser over head. Debian, could get a little more credibility if it would post a formal security review before each release. Something along the lines of 'hey we have done a security audit. Here is a log of the patch's we have applied. And measures we have taken.'
Cheers,
WFE
===========

securing a system

[kel-tor]

so in inetd, what does need to be left enabled before I start disabling everything I don't recognize? what services should be disabled? for an X-Box workstation? for a mandrake'd laptop? for a intranet server running domino and no X?

I look at the list of services and running processes, and I'm not sure that I want to willy nilly disable anything I don't know exactly what it will break, or what it will do for me if I leave it in?

I guess what I'm looking for is a securing a new system checklist. anyone?

Re:securing a system

[osu-neko]

After I finish configuring a system, netstat -a --inet (from root, of course) usually gives me this:

tcp 0 0 *:ssh *:* LISTEN
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7

As you can see, pretty much nothing needs to be left enabled. I'm of the firm opinion that if you don't recognize it, all the more reason you should be disabling it. :)

--

Partitions for *what*?

[Ranalou]

From the article:
I did several installations, and I can safely say I don't terribly like the defaults Debian uses. The first thing I noticed was that while formatting the disk, Debian defaults to an enormous / partition and a swap partition. Unless you use quotas, a user can easily fill up the disk (/home/username, /tmp, /var/spool/mail/username, etc.). While a certain percentage is reserved for root, that doesn't help other users much. Admittedly, most distributions (or operating systems in general, for that fact) don't do a great job of this. But there are a few, like Red Hat, that do.

What? So, after creating a separate /home partition, if a user decides to fill it, this still helps the others using the resource exactly how? If I have quotas, sure, I'll buy that. Just creating a separate partition however does not help in the least. It means I can still get e-mail while I can't create any new files in my home directory- unless the person is more determined, can manage to discern that there may be more than one partition, and fills the mail spool partition, too.

Semi-valid arguments for this might be that you can at least mount some of these partitions noexec or nosuid as a deterrent for casual users and lame crackers. However, this has nothing at all to do with the distribution, or DoS attacks. All Kurt is suggesting is that I should have more granular DoS. Yay. It's still a DoS, no matter how you cut it.

Security Portal, huh? Hrmm.

--Rana

at least it's still better than Mandrake

[Argylengineotis]

I got mandrake this weekend and it would not even install! I'd rather have a few patchable security issues and an installed OS than this!

It crashed out at several Xwindows related packages, things like the glide drivers, but it let me cancel past those errors and continued the install. But it crashed some more during application setup (these were fatal error crashes and the installation crashed out of its runlevel)! It also kept asking for CD's that weren't included with the $30.00 Box package, who knew what I was skipping when I had to cancel through those entire discs. After all that, after finally getting the core installed, LILO wouldn't run at all! kept printing out "LI [carriage return]" over and over till I rebooted. what a depressing experience....

I was doing the install on a completely ordinary machine- a Celeron 400 with an 8x IDE CD-ROM (totally standard issue) and a riva TNT. I installed both Turbolinux 4.0.5. and Redhat 6.2 just fine, after I'd given up on the mandrake. Turns out Turbolinux is smooth and sweet, if a little sparse, and Redhat is the flagship badass distro, AFACT. Anyone else have problems with the Mandrake 7.1 installer? I think it may have been my partition scheme and that the HD was primary slave that caused all this, but Turbolinux and Redhat had no problems with the same setup. overall a big TWO THUMBS DOWN for mandrake!

Microsoft Windows security problem?

[Flammon]

Because this is a serious site and if a title was posted such as "Microsoft security problem?", it would just be too funny to post.

Re:Microsoft Windows security problem?

[pallex]

Mod this up!! :)

`Outlook bloated piece of shit?`

partitioning

[copycat]

i dont know why he's complaining about the deafult install's partitioning scheme.
the default debian install has a swap and a huge / partition. i agree that this is a bad-thing if you have users, in which case thier home directories should be seprate, and so should /var and /tmp, and perhaps have /usr mounted over NFS - but who uses the default install anyway? these people probably do not have users to worry about! since we are not yet using LVM, this is the most efficient way to partition. you will never run into problems where you run out of space on one partition and have to juggle stuff around.
while it is not the way i do it, it is definitly the best choice for new users - the ones who would choose the default install.

X-Chat

[Kymermosst]

X-Chat 1.5.7-devl fixes the issue mentioned. Perhaps the author could have looked at the home page and seen for himself.

Proftpd potental invulenerability

[Masem]

There is a known potental problem with ProFTPd up to rc2, not related to the one that plagued up to .10. Namely, if you issue a "quote '%999'" message while ftp'ing to a proftpd server, you can kill the child process. Is this a source for a potental problem? No exploits are known yet, but the new nightly builds of ProFTPD do remove this problem.

Don't put words in my mouth.

[Dast]

Never did I say Linux is user friendly, or that Linux is right for everyone and their mother.

The fact of the matter is, whenever I visit my mother, I sill have to baby her through *Windows*. She can't install a single piece of software, she can't set up a ppp conection, she can't configure the zip drive she bought, nothing. She knows where to click to check her mail via telnet, and when I tried to convince her to use putty instead, she said her "mail wasn't on putty, it was on telnet". And my mother has four degrees.

As another example, I was down in the telecom office of my university yesterday, and listened to a conversation between a lady having problems with her campus dial in connection and a telecom desk operator. Aparently, when she dialed in, she was prompted for a "new password", leading her to believe her "hotmail and internet explorer been deleted, it was all just deleted". The telecom desk operator's only job was to collect payment, so she couldn't offer any sort of help. This lady was stuck in some sort of wonderland where she didn't understand anything.

I'm a firm believer that unix isn't right for everyone, just, as you can see from the above, that windows isn't right for everyone.

So next time don't put words in my mouth, thanks. Not everyone on /. is a mindless drone.

Oh, don't get me wrong,

[Dast]

I don't think *any* of it is extremely serious, but I do hope to see netscape and lilo fixed in the distro, as they are very commonly used by people. Overall, the author overreacted, but he did have a valid point or two.

Glad to see the hard working folks at debian are on top of it, though, and there is at least a reason behind it all.

SysAdmin Comfort Level

[TWX_the_Linux_Zealot]

I somewhat expect to get flamed for this, but what the hell...

Having used Linux as a toy since the 2.0.0 kernel, and having played with Slackware, RedHat, Debian, and SuSE, I have seen strengths and weaknesses in all of them. It seemed like people were bickering back and forth between each other over really, really trivial differences. I mean, come on people, if you're truly qualified to be working as a SysAdmin, you should know your platform, WHATEVER platform you choose, so points like were mentioned are irrevelant. If you don't know your OS, get a different job. I don't consider myself a Linux admin, despite the fact that I don't use anything else, because all I do is play. I don't know how many slashdotters actually do admin, but I would venture a guess that it is significantly smaller than the total number of geeks posting. It's easy to install an out of the box Debian, RedHat, SuSE, etc, and set up server daemons, and call yourself an admin, but that doesn't make you any better than any idiot who "borrowed" his company's NT Server CD and installed it at home on PC on his cablemodem. Sometimes, it seems like _everyone_ has forgotten why admins are paid well, and that is because they haven't just taken a stupid course at some tech school and passed some lameass test somewhere. They learned through experience, by fixing problems, and by dealing with system crackers from time to time. It's brains that make a sysadmin work, not where the downloaded their OS or what small workarounds, bugs, implementations, etc, need changing.

I personally don't like Debian, I had problems installing earlier versions (2.0 range) that caused the console to stop accept console input for whatever reason, but if other people do like it, fine. If they want it as a server and know what they need/want to fix, let them have at it. It's not like they paid anything for it. I'll stick with my Slackware installation, where they assume that you will handle the little patching and downloading of new daemons. In the mean time, remember that they are the ones developing, and if you want it different, stop bitching and join 'em. If they're being 'leet, and don't want you helping with development, screw them and move to a different disto. Whatever you do, stop whining. It's annoying...

Enough of my rant...

Bugs vs. features

[yerricde]

Bugs arent features, see?

Try telling that to Micros~1.

"PROBLEM: Windows bluescreens when you do foo, bar, and baz. STATUS: This behavior is by design."

<O
( \
XGNOME vs. KDE: the game!

Re:Reaction from an outsider (to Debian)

[planet_hoth]

"Yes. (Maybe I have too much time on my hands, but yes.)"

I cannot believe that Debian users are expected to sift through the changelogs periodically to make sure no security problems have been found. Doesn't Debian make security announcements like most other distributions do??

I, unfortunately, have too little time on my hands.

If someone can tell me a more efficient way to keep up on Debian security, please let me know.

Otherwise, I'm starting to feel more secure in my choice of a non-Debian distro at home and work. (Apologies to all the moderators for daring to question the Holy Church of Debian, of course!)

PS: what's up with my original post being tagged [0: Flamebait]??? What was flamebait-y about it? Slashdot moderators are starting to look like a rabid pack of jack-booted Debian jackasses. GO AHEAD, I have plenty of karma to burn! How's that flamebait for ya! :P

Maybe his employer rushed him out the door...

[scrye]

Kurt and I go way back, and I know he knows what he is doing. I was talking to him just the other night and he was installing debian. Now, i dont know how long he had to write the article, but I feel that Kurt most likely did not have the time to write a proper article? Isn't this how all journalism works? "Get that aricle in here, it has to be up by tomorrow!". The author has to rush and unfortunatly has to rush it out the door.
Also, since when has the linux community been so quick to anger? An angered response is a sign of somthing to hide, and also starts flame wars.

Re:Nobody installs it?

[Strog]

Consider me a nobody then. People have made some of the kind of comments about Linux too but times have changed. Can't crack it if you can't find an install to crack. Most of the Unices have similar security methods and can be locked down to similar levels depending on what is installed. The real complaint should be what is installed and what doors are left open. It wouldn't do you much good to install the latest patched up ftp server and then put the root at / with write access. If we were talking about how Atheos hasn't been cracked then maybe your comment would be a little more valid.

uhhh...

[jmd!]

holy crap, is that kurt guy an idiot. what a waste of slashdot space. some bogus 'security' article by a kiddie.

anyone with half a clue reading that article knows what im talking about. bitching default home directory is mode 755 but then bitching after he 'fixed' it, ~/public_html didnt work.

and the clincher... the one i completly stoped reading at... suggesting all installs should set a lilo password... HELLO? UNATTENDED REBOOTS? idiots...

Re:uhhh...

[jmd!]

ok, i checked the man page, the password is only requested when booting with args...

BUT EVERYTHING ELSE IN THE ARTICLE WAS WRONG...

except about the stuff in inetd.conf, but EVERY DISTRO has that... its not like debian is out on a limb enabling those services... yeah theyre security risks, yeah theyre obsolete... yeah, even distro insists on enabling them...

Oops.

[Bruce+Perens]

Well, I made a total ass of my self with a security-related article recently, too. I apologized as gracefully as I could and learned an important lesson for next time. I think we've got to consider it part of the collective learning process, fix what we can, and go on.

Thanks

Bruce

Re:Debians use of Crypt vs. MD5, and security audi

[phillipkh]

Well, MD5 is a one-way hash function yes, but why would you need a reversible encryption algorithm for passwords?

Password entry is one-way isn't it? It's not like you are using a retinal scanner to request access to decrypt the passwd entry using the data encoded into the backs of your eyeballs. =)

Also, MD5 is a more complex algorithm than 56-bit DES. A machine that can check 1,000 DES keys a second could only do about 100 MD5 hashes. Also with DES there was an 8 character limit on passwords, MD5 expands this to I think 127 (or maybe more?) Greater processor overhead is important here because it significantly increases the amount of time needed for a brute force attack.

-P

Re:Debians use of Crypt vs. MD5, and security audi

[logistix]

The idea of using a hash function like MD5 rather than bona-fide encryption like blowfish for passwords is that it's literally impossible to decrypt the result. The only way to get someones password is to run it though the hash function and see if the result matches their hash. Sure, someone can run random strings through the hash function and find a match with someone's password, but they'll only be able to get access to that account.

With an encryption function, if someone figures out the key, they could concievably decrypt everyone else's password. This doesn't mean blowfish is insecure for passwords though. When the crypt() function uses blowfish, it actually jumps through alot of hoops (like using your password as the encyryption key, that way you would need to know the password to decode it) so that the result is impossible to decrypt.

Kurt's Cluelessness

[tiny69]

http://www.sysadminmag.com/current /feature.shtml

Here is one of his articles that ended up in a printed mag. It discusses PAM and attempts to discredit shadowed passwords in the process. The information is misleading and inaccurate. The article sounds more like it was released from a marketing dept instead of a self-proclaimed security expert.

When he discribes limiting access to ftp, he is basically saying only a good password will limit who can access the system. What about, /etc/ftpaccess or /etc/login.access. Not to mention using tcp wrappers and /etc/hosts.deny.

When he discribes using limits on users, he tries to imply only PAM can do this. Yet he fails to mention /etc/limits. If you 'man limits', you will see the available options are EXACTLY the same the ones he mentions are in PAM.

I see Kurt post to a few security mailing lists, Suse , BUGTRAQ, Linux Security Auditing Project, Bastille, etc. For the most part, his posts are worthless. Claiming PAM is the greatest thing since sliced bread, flaming others for off topic posts, repeating well known information, etc. His new project, LSKB lacks any kind of useful information and is more of a waste of time than anything else.

I have no respect for him and try to ignore him as much as possible.

Re:Reaction from an outsider (to Debian)

[Eladio+McCormick]

Doesn't Debian make security announcements like most other distributions do??

Duh. Subscribe to the debian-security-announce list. If someone can tell me a more efficient way to keep up on Debian security, please let me know.

There's the list mentioned above. And duh, the Debian homepage itself lists recent security issues.

The Debian Security page gives the line to add to etc/apt/sources.list to configure apy to download fixed package.

Frankly, with Debian it is easier to follow security than other distros. You get an announcement of a fixed package, and then you just do "apt-get update; apt-get upgrade".

Re:Reaction from an outsider (to Debian)

[planet_hoth]

Thanks, that makes sense. I figured Debian must have a central source of security announcements (besides package changelogs).

PS: thanks for the patronizing "duhs", you're contributing to my already low opinion of Debian users.

Re:Reaction from an outsider (to Debian)

[Nerds]

PS: thanks for the patronizing "duhs", you're contributing to my already low opinion of Debian users.

I could just as easily say the same thing about you and non-Debian users for making such a ridiculous statment, as if this guy represents Debian users everywhere. Of course, then I'd be guilty of the same thing and this conversation could go on forever...

Re:Reaction from an outsider (to Debian)

[Eladio+McCormick]

PS: thanks for the patronizing "duhs", you're contributing to my already low opinion of Debian users.

The "duhs" are due to the fact that by just looking at the Debian front page, you could have seen that the security announcements are right there. How long could it take you to point your browser at the logical place to find out about Debian, the home page, and skim the page? Certainly less time than what you've spent reading and posting on /.

My own experiences

[ggeens]

A couple of weeks ago, I used Debian 2.2 to set up a test firewall at work. I'll try to summarize what I did.

This firewall is nowhere accessible through the Internet. One ethernet card is connected to the company Intranet, while the other just has a crosscable attached. Because of this, I wasn't very concerned about security. I wanted to practice a little by tuning the box.

(Why this firewall, you might ask? I figured we needed a setup to demonstrate to our clients that our applications will also work through a firewall setup. And I had nothing more important to do - being between 2 projects.)

When the installation program prompted me to allocate partitions, I opted for a root partition, a small /boot, and the second hard disk for /usr. (Nobody really tells you how to partition hard disks - that's why most newbies end up with a single partition.)

At the end of the installation, I was asked whether I wanted MD5 or crypt passwords. The dialog listed some of the reasons why I would want either one.

The default network installation did activate a couple of services like telnet (don't remember which ones), which I had to uninstall. For the builtin inetd services, I didn't even bother to deactivate them. (I'm not sure why I left inetd running. Probably because I wanted one service from the list.)

I did leave exim because I needed a way for the system to report what's happening. Unfortunately, this left a process listening on port 25.

I deactivated X (the PC had a lousy video card anyway).

I had to recompile my kernel in order to support IP forwarding and Masquerading. In the collection of packages I found mason, which is supposed to make it easier to configure a firewall.

I tried this, and I got a list of all the broadcast messages on the company network (quite a lot). I threw away all that junk, and started studying the HOWTOs. I ended up with a configuration that will forward 5 TCP ports (we have a couple of web servers listening on unusual addresses), DNS (for convienience) and ICMP (to facilitate network debugging).

The machine has a couple of services running that might reduce security: DHCP (to configure the client PC), squid and SAMBA (easier access from my own PC).

The bootup settings: no BIOS password (automatic reboots), but the LILO images are restricted (i.e., you need to enter the password if you want to pass options).

Finally, I had to set a few kernel parameters as mentionned by the HOWTO.

All in all, a pretty secure machine, at least from the network. I can't think of anything that would hold of a determined person who gets access to the console.

I can always close up the remaining holes if I want to, but I don't think anyone will try to break into the machine anyway.

All in all, it took 2 days to get everything the way I wanted (not only the security aspects). I learned a lot out of this and, most importantly, it was fun!

Kurt did it again :-)

[deno]

We needed quite a lot of work to get him avare that Mandrake does things somewhat differently... Now he does a similar mistake with debian. Fun. He will gett a lot of JB awards, if he goes on like this...

First I thought that he simply has something against Mandrakesoft, but now... I don't know, maybe he has no time to do a homework on distros he does not use. It is strange, when one knows that he is the author of the "Linux Administrators Security Guide".

Re:Your karma recipe for today

[Fervent]

Kurt's Closet is part of SecurityPortal - he's got some good points, but it's also good to remember, as the article points out, that nothing is automagically secure.

Hmm... Internet Explorer has a minor bug that allows some users to view (not change, mind you, but view) contents on a select number of users hard drives. "The travesty! Has Microsoft no remorse! Clearly they don't test their products, and anyone using them from a security standpoint should be marked as a rat bastard!"

Debian is earmarked for possible security faults. "It's a shame, but I'm sure it won't happen again. Remember people, nothing is 'automagically' secure. Linux users are the cream of the crop, and a bug... well... I just don't believe it myself.

Sigh... when is Slashdot going to be seen as reputable? When they stop throwing a bias at everything involved with Linux.

Usergroup ?

[twixel]

This "makes working on shared projects (in a +s directory) slightly easier" thing is an absolute myth. In order to do what you describe, the user would both have to a) have an idea of how to run chmod and b) actually _run_ chmod, at which point they can change the safe, secure, hopefully default permissions that allow _only_ the original user access to it.

Why would they need chmod? That's the nice thing about the usergroup scheme: it works without additional intervention and with no relaxing of security.

To recap: User home directories are ug+rwx with guid = uid. (umask=007) So all the files created in that home directory are only accessible to that user. Project directories are set g+rwxs, and guid=projectname. Now everyone in that project has access to that directory and every file that is created in that dir is automatically given the right permissions.

And the scenario where someone hacks into /etc/groups, well if they can hack groups, what's stopping them from hacking /etc/passwd?

Can Someone Help?

[konala]

I'm just about to put Debian on a box, and I could really use some help. I thought that there wasn't much to configure outside of the install, but now all this talk is worrying me. Is there some page out there that shows you all of the security vulnerablities when first installing, and how to get rid of them? This would also be preferably without the "EVERYBODY KNOWS" and just use ssh or some little program. All this talk makes me want to continue to work on my Windows box and just skip Linux all together, at least Windows gives you updates for the security vulnerabilties and doesn't tell you "Well, everyone knows about that" I've tried to sift through the jargon, but cmon people, are you trying to make an OS that you want people to use, or only one that you can use? Sorry that it sounds a little harsh, but everytime I ask someone for help with any form of Linux, they tell me to just install and figure it out for myself. Thanks for your help!

KONala &nbsp >^..^<

Re:Can Someone Help?

[rcw-work]

now all this talk is worrying me.

Does a lot of talking make your system more insecure, or does it just make you feel insecure?

It is much safer to be frightened by talk and let the fear drive you to education than to wallow in ignorance.

Anyway, please check http://security.debian.org/ if you're using Debian.

Making a network more secure requires an admin to think of what could possibly happen in any situation. For example once upon a time in a land far far away, someone pondered:

"Hmmm, packet sniffers make it possible for someone else on a network to capture transmitted data."
"Waitasec, telnet is unencrypted! Everything is sent out in the clear."
"Maybe I should stop typing in my passwords via telnet to access a machine remotely."

nitpick

[Soam+Vasani]

nobody really tells you how to partition hard disks - that's why most newbies end up with a single partition.

Actually, this section of the LDP Installation HOWTO says quite a bit about partitioning hard disks. There is also mini HOWTO about it.

assuming you aren't trolling..........

[Scudsucker]

Is there some page out there that shows you all of the security vulnerablities when first installing, and how to get rid of them?

New bugs are posted on the main page, or you can check out Debian's security page for more information. As for holes in default installation, welcome to the beauty of Debian. Edit your /etc/apt/sources.list to include the mirror of your choice, then do "apt-get update;apt-get dist-upgrade" as root. Presto, all your packages are current.

Re:assuming you aren't trolling..........

[konala]

What should I do fix the holes in the default installation? Can you name the things that I need to change passwords on? Thanks a bunch. BTW. I'm not trolling, welcome to the mind of a person that is trying to use every OS at the same time. All the while finding features in one that she would like to see in another, and wanting to remove some "features" from all.

Re:assuming you aren't trolling..........

[Greg+W.]

What should I do fix the holes in the default installation?

The first thing you should do is subscribe to the debian-security-announce mailing list. That way you will be informed whenever a security fix is made available. (Don't worry, it's not often enough to flood your mailbox!)

The second thing you should do is make sure you fetch those updates. You can always get them by hand (the instructions are in the announcements made on the mailing list). An easier way, if your machine can reach the World Wide Web, is to use apt. Put this into the /etc/apt/sources.list file:

deb http://security.debian.org/ potato/updates main

(Make any other changes to your sources.list at this time.) Then run apt-get update , and apt-get upgrade . You can run those commands any time you like, to get the most recent updated packages. Now that potato is stable, there will not be updated packages very often, but it doesn't hurt to check.

The third thing you should do is review what's installed on your system and delete anything you don't want. This is tedious and time-consuming. You also won't be able to make too many informed decisions at first, since you probably don't know what everything does yet.

I haven't installed the newest version of Debian from scratch yet (my Debian boxes are a couple years old), so I don't know how much "cruft" there is in the default tasks. But if it's anything like the previous version (slink) there's probably a whole lot of cruft.

So run dpkg -l | less and actually read through the output. You will probably see some things that look vitally important (like "dpkg" or "libc6"), some things that look terribly unimportant (like "bsdgames"), and a whole lot of things where you can't decide.

Start by removing all the things that you know you don't want. If this is your desktop system and it's behind a firewall, you probably don't need to run a name server or have the Apache web server development kit installed... on the other hand, if this is your firewall, you probably don't want xbill installed. ;-)

Once you've done all of those, take a look at some of the individual packages. You can use "dpkg --status packagename" to see all the meta-information about the package, including its long description. (You can also see this in "dselect" if you use that program.) Then try removing some of them. Remember two things here:

1. If you try to remove something that's "Essential" to the system, you won't be able to do it without explicitly overriding the error messages.
2. If you remove something that it turns out you wanted to have, you can just reinstall it. By default, when you "dpkg --remove" a package (or do the equivalent in dselect or apt-get), all the config files are left on the system. When you reinstall that same package, it will keep your old config files. (Read the dpkg man page for more info.)

The fourth thing to do is to look at the system from the outside point of view. Try port-scanning your box from somewhere else on your network (another Linux box running nmap is a good way). If you see a port that's open, find out why. (Hint: lsof -i :25 will show you the processes listening on port 25. Or, fuser -n tcp 25 will give you the process numbers, which you can then look up with ps.)

At first, you may not know what each of these services is, so you'll have to do some research to figure out whether you want to keep them. Find people you trust and ask them, or hit the docs.

When you find services you want to disable, find out how to do it. The methods vary with the service -- some services run as a standalone process (like sshd on tcp port 22). Some run under the control of inetd (like telnetd on tcp port 23). Some may run either way, depending on which program is implementing that service and how the program's configured. (E.g., sendmail runs as a standalone daemon and offers smtp service (tcp port 25), whereas qmail-smtpd could run from either inetd or under control of a separate program called tcpserver.)

Each service is different, so you will have to do some investigation to figure out whether you want to disable them, and if so, how to do it.

By the time you've done all that, you won't be a newbie any more. ;-)

The fifth thing you should do isn't specific to Linux or Debian. You should make regular backups of your important data. I'm constantly amazed at how many people fail to do this. The most important things to back up are your personal data (/home) and your system configuration files (/etc). (Note that Debian policy requires all configuration files to be under /etc.) If you've got more room, you should probably back up /var and, if you use it, /usr/local. If you still have more room, back up the whole file system hierarchy.

Also, make sure you have more than 1 backup. Don't just reuse the same tape every time -- have at least two tapes (or Zip disks, or whatever) and alternate between them. Better yet, have a lot of them and rotate them (use the oldest one each time). If you're doing this on an important system (not just your personal toy), you should ship some of those backups off-site in case of a major disaster.

Can you name the things that I need to change passwords on?

There isn't anything you need to change passwords on -- but you might want to set a few passwords.

Your user accounts (most especially root!) should all have good passwords. That's absolutely essential.

Beyond that, it depends on how paranoid you are, and how much the data on your system is worth to an attacker. It will also depend on external factors (e.g., is the computer locked in a room to which only you and your boss have keys?).

You can set a password in LILO (assuming you use LILO to boot), which will prevent users from passing boot parameters to the kernel. But in order to pass boot parameters to the kernel to LILO in the first place, they have to be physically present at the keyboard, and they have to be able to cause the machine to reboot (e.g., by disrupting its electrical power).

A user with physical access to the machine has other options, however, besides LILO. They could insert a floppy disk and cause the system to boot. You can prevent this by telling your computer not to boot from floppy diskettes (in its BIOS), and then setting a BIOS password which prevents the user from changing the BIOS back to its defaults. (This has nothing to do with Debian or even Linux.)

The problem with this is that it's still possible to override the BIOS password, either by changing a motherboard jumper, or by temporarily removing the battery, or by stealing the hard drives. This requires access to the inside of the machine, which is why some people here have been talking about locks on the computer's case.

Personally, I don't bother with any of that stuff. If a system has to be secure against the kinds of things discussed in the preceding few paragraphs, then it should be in a secured room.

Re:Reaction from an outsider (to Debian)

[planet_hoth]

You are right. I am stupid. It is far easier to search the web than it is to ask a simple question on slashdot and get flamed to hell and back for being stupid and asking questions. I am so glad you are here with your gigantic noggin' to point out the error of my ways, Eladio.

Re:OpenBSD rocks

[kijin]

You can do a minimal install with most linux dists and probably with all the other bsd's which would probably lead to nothing being remotely vuln.

using multiple partitions while installing Debian

[Scudsucker]

After you mount your swap and root partitions, I think the next action by defualt is to install the kernel, but alternatively you can select "initilialize another linux partition". It'll format the partition and then ask you where you want to mount it. Not very intuitive, but once you know what option to use its easy to set up seperate partitions for /var/cache or /home, et al.

Security vs Convenience, Experts vs Novice

[DLG]

Ok, well to start I have been running a server on the internet for 6 years and I admit that I am not always the best administrator, especially in terms of security updates. One of the risks of having an OS that can stay up for a year at a time is that you leave it alone since it is working. As time goes on and exploits are discovered it takes a special attention or a full time job to catch every security hole. As such one has to commend Kurt for making an effort to analyze security issues in ANY distro. As to his lack of understanding of DEBIAN's policy on backfixes, well perhaps it should be made clearer. I am a VERY experienced programmer and administrator in terms of Linux and I LIKE reading changelogs but I don't always get a chance to and a Novice is unlikely to know much about that. In any case Kurt made a mistake and he apologized gracefully, as opposed to the Debian response which was sort of harsh.

That brings me to TWO points. Alot of this discussion has turned into "Everybody Knows" and people need to shut off everything in the machine to make it secure.

#1. If everybody knows, that implies a culture which doesn't accept newcomers with a proper sense of respect. We want new people to use Linux (supposedly) but then we say that it is ok to leave certain security holes because everybody knows to close them. That is nonsensical because what it implies is that the only important people to consider on these installations is experienced users, when a truly experienced suer is NOT the target of this sort of install. Infact one of the joys of Linux is that a really experienced user can make their own canned distro anytime they want, and can essentially fix the assumptions of a distro to their own desire. Yey... Newbies on the otherhand need alot of guidance, more than Linux or Microsoft give. My understanding is that Apple managed to make it so that one can turn on their G4 models with airport and run a webbrowser immediately. That is FAR closer to what newbies need. Closing off security holes as the first step is NOT.

#2. My father has been in the industry since the 60's and he basicly told me that the perfectly secure machine has NO access. Basicly on one side is the availability of services, and on the other side is security. the more services the less secure. People ehre are mandating locking floppy drives, welding shut cases, turning off services.

This is sort of ironic. Even when I started using Linux (Slackware with kernel .99p16) there were good services available and THAT was why I began running it. Fear of being hacked was not what turned me on to Linux. it was the fact that I could take my little 386sx and make it a SERVER. SERVER implies SERVICE. Now I understand folks are trying to switch linux into a desktop machine, and for that maybe it is best to take on the macintosh model of NO SERVICES. Seems to me that could be a REALLY small distro compared to these massive cd sized ones. Even so eveyone wants a webserver, having your own nameserver is nice, a mailserver can be handy, an ftp server solves alot of problem, and hey its nice to have remote access, even if you jsut want your friend to help you on the machine, and so it goes.

Before one evaluates security one needs to evaluate use, and while a distro can be helpful to give a new user an idea of the risks versus the benefits of any decision they make in terms of services and security, there is never going to be a hard enough solution to protect against local penetration, no matter what folks say. In circumstances where someone has physical access to a server even if one can't physically tamper with the machine, effective surveilance, keyboard taps, and any sort of wiretap on datalines makes true security difficult especially in circumstances where the average user STILL probably uses a variation of his/her kid's name as a root password. Or worst writes it down.

Linux has come a long way, and Debian, Redhat, Slackware, SUSE, and every other distro makes a competition of both features and philosophy that is so valuable to the community, that discussion of fragmentation has seemed to fall off in the last year. We can see that ALL Linux is growing, and we are indebted to all those who have examined security issues on EVERY package, every DISTRO, every OS, every kernel. However security is a wide scale and no system that runs power is truly secure. Lets just be thankful that we are talking about a system where users CAN learn to secure their system by themselves.

dlg

Use at your own risk - fix it yourself

[Crag]

I don't think "geeks" have been saying everyone has to do full testing of their entire distribution. That would defeat the purpose of having a distribution at all. You might as well run Slack. :)

Distributions are collections of software pre-maintained at a certain level. If you need more than that (for work or whatever) you add it yourself. If you are building a server, and you're paid to do it, you will do this ANYWAY. It wouldn't even have to be a UNIX server. This is the same as testing the brakes on a shipping vehical. You will do it on delivery, before use, and on a regular basis because money and lives other than your own are at stake.

If you care if someone breakes into your car or computer, it is your responsibility to take whatever steps you feel are sufficient to make sure that doing so is difficult enough. It is never impossible to break into anything.

Linux is both a desktop and server kernel, and Debian, RedHat, and others are also useful for the range of roles from tinker toy to big iron. The distribution maintainers and upstream developers have no requirements other than those they place on themselves. They are volunteers! Anything you want more than what you get, you have to buy or do yourself. If you want guarentees, be prepared to pay someone to get insurance against your guarentee. That's what car companies do.

So, yes, if you care enough if it works to your specs, test it yourself. If you don't care if it works, quitcher bitchin'.

Compared to Windows you mean?

[Greyfox]

A newbie won't be able to keep a system secure, Windows or Linux. His best bet is to hop on a system you can't get back to like AOL, use a text only mime incapable mail reader and use mosaic. That would be a reasonably secure environment for a newbie.

Chmod...

[Greyfox]

Yah. Generally you WANT the owner of the home directory to be able to rwx in it.

Why is it that so many non-Debian people write...

[YoungHack]

Why is it that so many non-Debian people feel like they have to write about Debian's shortcomings anyway? It seems that every time I read something about Debian it becomes immediately apparent that the author is not actually a user of the system.

Just recently, Linux Magazine had an article about package managers. The author said he would talk about rpm's, deb's, and tgz's. Later in the article, (I am paraphrasing here) after a lengthy discussion of rpm's was a statement that "deb's probably work about the same way". In other words, the author never really uses them. Just once in a mainstream article I would like someone jump up and down and in bold print say "the recursive dependency checking of deb's, etc., is just outstanding". It is solid, reliable, and works.

Alas, here I am, not really an expert with rpm's. But my colleagues would seem to be at least as expert with rpm's as I am with deb's, and I can say that deb's seem to offer fewer problems than rpm's over the course of time. (I.e. I have never had a deb decide to break my copy of dpkg and then my copy of gcc leaving me with a machine on which I can no longer compile packages and for which I can no longer install a working compiler).

I use both rpm-based systems and deb-based systems where I work. My bias is obviously toward Debian (I am writing this). But I never - never - have to clean-install my Debian system.

OK, I am running out of wind. So I end with my small but fervent opinion: Debian is a good.

mail (pine), finger, telnet, ftp

[phossie]

many, many people that attend some sort of secondary educational institution know these four commands. some of these people figure out that the system which is giving them the sort of opportunities they have might be useful for them personally, on their own box.

these people have gotten their grubby hands on a redhat cd - they're competent users of windows, however so much of an oxymoron you think that is - and they've installed it. then they've tried to use it... but the help and man pages suck if you don't have an understanding of the system as a whole when you start. i'm guessing here, but some people think that servers are necessarily more powerful machines, and may install with server options just because it's cool. dumb? absolutely. common? probably.

What I think you are saying is: people who don't know, should be protected from the danger they might get into."

hey - people who don't know what's out there should be protected from the danger they can put you into, smartypants. does that make more sense inside your little box?

The real point here is that "common knowledge" is a frightful way to decide what security defaults should be. A good configuration, as pointed out many times in this discussion, should be locked down from the start. If you want to turn something on, then you're going to have to:

• Find out what it is that you want to turn on
• 
  Read about how to turn it on and how it works
  Read about any security flaws it may have
  Read about how these relate to the system
  Think about it

You can't force the last point, but it would be relatively trivial to implement everything else. There's no reason that any distro of any OS should default to anything other than maximum security. If you want to repetively install something else, you should already have to have aquired the knowledge of what you're doing and the 'expertise' to automate that.

People like you make software suck.

Re:mail (pine), finger, telnet, ftp

[Samrobb]

Well said. The traditional *nix environment seems to assume you have a guru around to train you how a system should be run. There's little or no emphasis on giving someone a system where they can start off from a known, safe quantity and (probably slowly) learn what they need in order to become a competent user or user/admin.

Re:Reaction from an outsider (to Debian)

[baka_boy]

The original issue arose because the article's author had seen security advisories about the versions included in the 2.2 release, and simply hadn't realized that the fixes for those problems had been backported. While it may show a poor understanding of the Debian distribution, it does not reflect poor administration practices.

ROTFL

[Helmholtz]

*cough* *cough* hummmmmm ... heh.heh.he...bwahahahahahahahahaha!

Re:Home directory permissions

[Knuckles]

Moderators, "-1 Flamebait" is not appropriate for the above post.

Re:Home directory permissions

[Ed+Avis]

Yes, it is annoying that .bash_history gets created 644. I don't know why bash doesn't create it with a sensible mode to start with. (Although even here you can argue that this is illusory security - anybody could run 'ps' every second and get a complete log of the commands you run.)

I don't think that's a reason to change default permissions for all files in a home directory; the answer is to fix bash. I don't see how .newsrc or .bashrc is particularly sensitive. If your account could be compromised by somebody who knew the contents of .bashrc, making it go-rwx is just security through obscurity. (If you do have secret stuff like database passwords, put them in a separate file and read them in.)

Re:Home directory permissions

[Balp]

Secure system does not mean closed system. In almost every case the read permissions on the home directory does not have any effect on the security of the site. It actulla ofter gives more security problems not having the home directories readable for uther users that not having them readable.

Side-note correction?

[icqqm]

It's nice that he apologized (just about unheard of kind of apology for a journalist) and that he posted a response to his website, but why not include it at the beginning of the article? It seems to be a sidebar (which looks enough like regular sidebar crap to be ignored by users) and the article has been just about untouched. Doesn't seem right to me. Nevertheless, still nice he apologized.

Re:Let me see

[matthead]

No, not at all. They'll backport your bugfixes (not your new features) and call the package "aicq 1.1-2" or something similar.

The point is that you have a feature freeze for the software. You don't have to worry about having to upgrade libicq along with aicq; you know that the library requirements and all will stay the same.

-Matthead

suggestion for moderators

[sunking7]

This is just a suggestion for you guys so you can use your mod points more productively...

If the parent of a reply is off-topic, then moderating down the parent allows the thread to be offtopic. My reply to his off-topic was not off his topic, was it?

Just a suggestion...