On 09/25/2014 05:37 PM, Greg Freemyer wrote:
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers <cmyers@mail.millikin.edu> wrote:
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
For bash / shellshock, why do you think you're vulnerable?
AIUI, it's not an escalation vulnerability, it just allows apps to get out of a sandbox.
Perhaps into another, enclosing sandbox.
Thus if you have a webserver on your machine, it might let a webclient get out of the apache setup and into machine proper. They would still only have the privileges of Apache (or whatever user you run your webserver as.)
And if you run the Apache server chroot'd then even that is just in another sandbox. If you've taken care with the setup there is going to be a very limited set of executables and libraries available. The main problem with chroot'ing is that it does little to nothing for the network side of things. If your chroot'd space has a PHP or Perl executable to support the CGI then the hacker could use those make a network move. Of course the server could be running on a very stripped down virtual host with a virtual IP address and very aggressive fire-walling. But the major problem is the database. Most web based applications are backed by a database. Perhaps it runs on another machine and access via network connection. After the hack it can still be accessed. But please do run the server chroot'd or in a FM as a baseline measure. It may not be absolute security but it is another layer. There's no point in making things easy for the hackers.
Are you running any services on those old machines that serve the Internet?
If the only service is ssh, then the user has to log into ssh before trying anything. If you let those ssh users have an unlimited shell already, I don't think the vulnerability will give them any new way to penetrate your machine.
Indeed. SSH penetration is another, quite different, can of worms. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org