Mailinglist Archive: opensuse (982 mails)

< Previous Next >
Re: [opensuse] Running old version
On 09/25/2014 05:37 PM, Greg Freemyer wrote:
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers
<cmyers@xxxxxxxxxxxxxxxxx> wrote:
I have a quick question for folks who run old versions of oS. I know that
there are a lot of folks (myself included) who are running older versions of
oS, because they don't really have a reason to upgrade - everything is
working properly and has been configured over the course of many months to
run smoothly and exactly the way we want/need it to.

My question is - how do other folks handle security vulnerabilities like
this current bash vulnerability? Since oS isn't releasing patches for 11.4,
12.2, etc. anymore, how do you get around that? Just leave your machines
vulnerable? Or compile your own patches?

Chris

For bash / shellshock, why do you think you're vulnerable?

AIUI, it's not an escalation vulnerability, it just allows apps to get
out of a sandbox.

Perhaps into another, enclosing sandbox.


Thus if you have a webserver on your machine, it might let a webclient
get out of the apache setup and into machine proper. They would still
only have the privileges of Apache (or whatever user you run your
webserver as.)

And if you run the Apache server chroot'd then even that is just in
another sandbox. If you've taken care with the setup there is going to
be a very limited set of executables and libraries available.

The main problem with chroot'ing is that it does little to nothing for
the network side of things. If your chroot'd space has a PHP or Perl
executable to support the CGI then the hacker could use those make a
network move.

Of course the server could be running on a very stripped down virtual
host with a virtual IP address and very aggressive fire-walling.

But the major problem is the database. Most web based applications are
backed by a database. Perhaps it runs on another machine and access via
network connection. After the hack it can still be accessed.

But please do run the server chroot'd or in a FM as a baseline measure.
It may not be absolute security but it is another layer. There's no
point in making things easy for the hackers.


Are you running any services on those old machines that serve the Internet?

If the only service is ssh, then the user has to log into ssh before
trying anything. If you let those ssh users have an unlimited shell
already, I don't think the vulnerability will give them any new way to
penetrate your machine.

Indeed. SSH penetration is another, quite different, can of worms.



--
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups