patches (was Re: linux security)
David Talkington
dtalk at u.washington.edu
Wed Jan 22 18:00:00 PST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
M. Hornung said on Wed, 22 Jan 2003:
> |The quickest path to updates is always to forego vendor binaries entirely
> |and use only source from the developers, wherever possible, and again, the
> |response time varies.
>
> My complaint about this approach is that it becomes more difficult to
> maintain software (moreso if you're deeply enmeshed in the RPM world), and
> sometimes vendor RPMs (and vendor source code) are different than what,
> RedHat for example, expects.
Sometimes, but it's not a problem if you keep your namespace separate from
the vendor's. You do screw yourself if you install custom stuff in
'vendorspace' in /usr. Maintaining sovereign set of custom packages and
libraries in /opt or /usr/local is no problem, as long as your stuff has
the right lib and bin paths. And RPM (at least in vendorspace) won't let
you install multiple versions of anything, which is sometimes desirable.
Hafta be careful in /etc, too, and don't store your configs where Red Hat
does.
> One way to partially mitigate the window of vulnerability is to put good
> ACLs on your box - via a firewall, tcp_wrapper, within the application, or
> preferably using a combination of those things.
That's ok as far as it goes, but for world-accessible services (that won't
benefit from host-based access control), you still have that unpleasant
choice: run it vulnerable until the vendor (somebody say 'Sun'? *spits* )
gets a clue, or turn it off in the interrim.
On Red Hat systems, I compromise by using RPM for most things, but manage
source for any service that faces the internet. That restricts the
wait-for-the-vendor stuff to only local exploits, and keeps me right on
top of anything that might expose me to a remote compromise.
- -d
- --
David Talkington
dtalk at u.washington.edu
PGP key: http://staff.washington.edu/dtalk/AED8EEA8.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6
iD8DBQE+L0yjKguwn67Y7qgRAkYcAKCiNMQTc+Fp5dsV3fFmJmbXUJCLSgCgzGf2
ZLAuTAzLMv1JWzOcj/FLeR0=
=sfWL
-----END PGP SIGNATURE-----
More information about the Linux
mailing list