[1039] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: Possible bufferoverflow condition in lpr, xterm and xload

daemon@ATHENA.MIT.EDU (Alex Mottram)
Wed Aug 21 06:31:47 1996

Date: Tue, 20 Aug 1996 10:13:54 -0500 (CDT)
From: Alex Mottram <alex@dns1.net-connect.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0usl9U-00000TC@sandman.pb.owl.de>



> Personally, I'd wish to have a distribution kit that would ask me
> whether I want an "merely open" or a "secure" system. For development
> purposes or as a real end-user system, the current state of most
> distributions (which I consider as "open") is okay, but systems to
> be connected to open networks such as the Internet need more security,
> and - simply said - less s-bit programs and pre-configured services
> (/etc/inetd.conf etc.).
> 
> Is anybody out here who deals with distribution kits and their instal-
> lation scripts? It shouldn't need much effort to separate binary
> tree and configuration files and stuff them into two packages. Next
> step just whould be to offer (at least) two configuration packages
> alternatively, each with a configuration tree and a small installation
> script setting/resetting some "critical" s-bits.
> 
> What do you think about this?

Personally, I find that doing a "cd / ; find -perm -04000 -user root" and
removing the sbits from just about everything works fine.  After that, a 
quick pass through /etc cleaning up a few files like inetd.conf,
hosts.allow, and hosts.deny should take care of most problems.  I
personally feel that all hosts should be denied by default.  Period.

If a user wants to play a VGA game like abuse, go use the DOS box down the
hall.  :)

Having an installation option, or perhaps a "secure" package to install
would definitely be a step in the right direction for all linux
distributors.  

+-----------------------+----------------------------------------------------+
| Alex Mottram		| Experience is what you get when you were 	     |
| System Administrator,	|   expecting something else...			     |
| Net-Connect, Ltd.	|						     |
+-----------------------+----------------------------------------------------+

home help back first fref pref prev next nref lref last post