Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] Minimum number of packages
  • From: Avtar Gill <av_gill@xxxxxxxxxxxx>
  • Date: Sat, 06 Mar 2004 15:27:57 -0500
  • Message-id: <404A344D.7080501@xxxxxxxxxxxx>
Robert Schiele wrote:

Installation of a tool or daemon package does not make your server more
vurnerable as long as you do not enable this service.

Fair enough but if the tool or package isn't being used and thus not
necessary then why leave it on the server? Leaving gcc on a computer
that doesn't require it doesn't automatically make it vulnerable but if
a local user's account gets compromised then gcc can be used to compile
various utilities that will probably not contribute to the security of
the computer or network. Now how would a user's account get compromised
is another story and concerns a different layer of security but my
point is that several security experts advise to keep as few files
(I guess mainly suid/sgid ones) on servers as necessary.

And I do not understand why a system should be more easy to manage when you
have some less files installed.

It's good practice to keep an eye on what updates need to be installed
and test those updates first to make sure that when installing them on
production machines they will perform as expected. The less packages
installed means fewer updates apply to you. I don't understand the
point of *not* removing unrequired packages.

< Previous Next >
Follow Ups