Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] Minimum number of packages
  • From: Robert Schiele <rschiele@xxxxxxxxxxxxxxx>
  • Date: Sat, 6 Mar 2004 22:12:28 +0100
  • Message-id: <20040306211227.GA13647@xxxxxxxxxxxxxxxxxx>
On Sat, Mar 06, 2004 at 03:27:57PM -0500, Avtar Gill wrote:
> Robert Schiele wrote:
>
> >Installation of a tool or daemon package does not make your server more
> >vurnerable as long as you do not enable this service.
>
> Fair enough but if the tool or package isn't being used and thus not
> necessary then why leave it on the server? Leaving gcc on a computer
> that doesn't require it doesn't automatically make it vulnerable but if
> a local user's account gets compromised then gcc can be used to compile
> various utilities that will probably not contribute to the security of
> the computer or network. Now how would a user's account get compromised

If an account gets compromised, the attacker could just copy any binary from
remote he wants to have. An attacker compiling the binaries on the remote
system would be a really stupid attacker anyway.

> is another story and concerns a different layer of security but my
> point is that several security experts advise to keep as few files
> (I guess mainly suid/sgid ones) on servers as necessary.

suid/sgid files is another topic. But regular files could be installed by an
attacker anyway.

> >And I do not understand why a system should be more easy to manage when you
> >have some less files installed.
>
> It's good practice to keep an eye on what updates need to be installed
> and test those updates first to make sure that when installing them on
> production machines they will perform as expected. The less packages
> installed means fewer updates apply to you. I don't understand the
> point of *not* removing unrequired packages.

For unused packages without suid/sgid files it makes no difference whether you
have them installed or not or whether you test and install updates or not.

So, if you like then uninstall them. I just wanted to express that it is
pointless whether you do or not.

Robert

--
Robert Schiele Tel.: +49-621-181-2517
Dipl.-Wirtsch.informatiker mailto:rschiele@xxxxxxxxxxxxxxx
< Previous Next >
Follow Ups