Re: [suse-security] nscd and other demons
On Wed, 22 Sep 1999, Martin P. Peikert wrote:
Try editing the configuration file!
See below,
and then warn the user of the security risks involved with the running of that demon,
I don't think that this is always possible. Most (I hope so!) of the security related bugs are not known at the date of the distribution release.
Fair point, but there are ways to set up a service to make it more bullet proof. Off hand I can't think of an eg, which doesn't help my case. Wasn't there some talk on this list a month or so back where starting some demon with a certain tag made it open to DoS attacks?
possibly by directing them to some security documentation. Most users will be unaware of what demons are running,
True. That's not their job, its the job of your sysadmin.
Sorry should have been more specific. By user, I ment someone who uses Linux at home, and are both the sysadmin and the only user. Someone in the situation I am.
and what those demons are, so they're unlikly to know about the security of them. More advanced users are less likly to use yast for getting demons started.
Why? Edit the config - see above...
Why what? Why are more advanced users less likly to use yast? That seem to be the question you're asking, but given it's followed by "Edit the config" I don't think that's what you ment. Like I said, editing the config files is fine if you know where they are, know how to edit them, and know what format to add entries in, if you are a more advanced user. I personally stopped using yast after it messed with my sendmail and ppp configs, which I'd spent week getting to work. I like knowing how to do stuff manually, I dislike 'clever' programs. Others do like them, and some people need them. I think Linux should be open to everyone, not just those able to learn, and 'roll their own' config files. Home Linux users may well be new to Unix, they may not know where the configuration files are, or even that they exist. Some won't know what demons are, or don't full understand the concept of them, and are unlikly to use them. Assuming that the user who is also the sysadmin will know about stuff like this is, IMNSHO, stupid. If they came from a Windows world, they had everything avaliable through a point and click control panel. Now I don't use X so I'm not sure on this, but I'm willing to bet that there isn't the equivilent of the Control Panel for KDE/Gnome, not one which covers stuff like starting and stopping demons, anyway.
Just an idea.
Obviously an idea that doesn't go down well with people who think that the only people able to run Linux should be the ones who already know how to. cog -- ,------------------------------, ,====================| S H U N A N T I O N L I N E |===================, | David M. Webster '------------------------------' (aka cogNiTioN) | |=======================================================================| | cognition@bigfoot.com |=============| cognite.net will be online RSN. | '====== I use Linux everyday to up my productivity - so up yours! ======'
Dear cogNiTioN, concerning your mail sent on Wed, 22 Sep 1999 let me reply tho following:
Why? Edit the config - see above...
Why what? Why are more advanced users less likly to use yast? That seem to be the question you're asking, but given it's followed by "Edit the config" I don't think that's what you ment.
It's the YaST option 'edit config' I ment.
Like I said, editing the config files is fine if you know where they are, know how to edit them, and know what format to add entries in, if you are a more advanced user. I personally stopped using yast after it messed with my sendmail and ppp configs, which I'd spent week getting to work. I like knowing how to do stuff manually, I dislike 'clever' programs. Others do like them, and some people need them. I think Linux should be open to everyone, not just those able to learn, and 'roll their own' config files.
I started using YaST one year ago, I didn't know it before - and I'm working with Linux since about four years. I like 'clever' programs - if they really do what I want them to do - and that is what I always proof when I use 'clever' programs that hide what's happening. Anyway, it is _one_ tool, and one won't be enough to do it all (I had that ppp problem, too). Of course _everything_ that YaST does can be done manually -if you know how.
Home Linux users may well be new to Unix, they may not know where the configuration files are, or even that they exist. Some won't know what demons are, or don't full understand the concept of them, and are unlikly to use them. Assuming that the user who is also the sysadmin will know about stuff like this is, IMNSHO, stupid. If they came from a Windows world, they had everything avaliable through a point and click control panel. Now I don't use X so I'm not sure on this, but I'm willing to bet that there isn't the equivilent of the Control Panel for KDE/Gnome, not one which covers stuff like starting and stopping demons, anyway.
Just an idea. > Obviously an idea that doesn't go down well with people who think that the only people able to run Linux should be the ones who already know how to.
cog -- ,------------------------------, ,====================| S H U N A N T I O N L I N E |===================, | David M. Webster '------------------------------' (aka cogNiTioN) | |=======================================================================| | cognition@bigfoot.com |=============| cognite.net will be online RSN. | '====== I use Linux everyday to up my productivity - so up yours! ======'
If someone got me wrong, I want to state my opinion: the configuration of Linux should be understandable for all users - not only the expierienced. The problem we discuss here is the following (correct me if I'm wrong): if all daemons that listen to ports are disabled/enabled by default, how should a home user with no knowledge in security and no experience in configuring Linux know which one and how to enable/disable? An idea (to the SuSE people): I think if YaST would offer the service (enabled by default) to tell the superuser before enabling such a daemon that this could open a security hole - that would be a first step to sensitize users. An expierienced user should be able to disable/enable that service (and any other, too) - but _not_ using YaST. Martin
participants (2)
-
cogNiTioN
-
Martin P. Peikert