[894] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: You wouldn't believe it...

daemon@ATHENA.MIT.EDU (John Henders)
Wed Jul 10 18:35:19 1996

To: jlewis@inorganic5.fdt.net
Date: Wed, 10 Jul 1996 13:49:15 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
Reply-to: jhenders@bogon.com
From: John Henders <jhenders@bogon.com>

Jon Lewis writes:

> This is something I meant to say something about...but kept forgetting.  
> There's this box I installed very nearly all of Red Hat 3.0.3 on to get a 
> feel for Red Hat and see just how much I'd hate it.  Maybe I just haven't 
> gotten to know it well enough...but I greatly prefer my hacked up 
> slackware based boxes.  Anyway, one day a co-worker brings in his 
> notebook with pcmcia ethernet, and asks me whats up with this Windows 
> server on our network.  "What windows server?"  It was then that I found 
> that by default, Red Hat 3.0.3 setup Samba for me and ran it with /tmp 
> world rw.  I still don't know Samba, but I assume this is the section of 
> config file responsible:
> 
> [tmp]
>    comment = Temporary file space
>    path = /tmp
>    read only = no
>    public = yes
> 
> On a small box such as this one, where the root fs is _the_ fs, a world 
> writable (no account needed) exported directory could be a very bad thing.

Only if there's a bug in samba that allows you to get out of the
directory that is exported, as there was with the NT implementation.

I think this is the result of a different philosophy than Slackware more
than anything else. With Redhat, the assumption seems to be that if you
ask for a package to be installed it will be configured as well, where
as Slackware (or at least the last version I installed) just installs
the package and leaves you to figure out how to configure it. Debian
seems to follow the Redhat philosophy as well. If you install
netatalk, for instance, it configures it to allow users to mount this
home directory. 

Where both packages fall down, redhat's rpm installed the most, IMHO, is
that they fail to tell you very little about what they've done. rpm
--install package is comeletely silent, and the -v verbose flag is not
much better. Debian fares much better in this regard, but I'd still
think more info on the package should be presented somehow. 

The problem is even worse when installing a whole distribution, as in my
experience, no one sticks around to watch the messages printed on a
large install. Perhaps if the installers had info sheets for each
package, on a bulk install they could save them all to disk and then
mail the whole thing to root after installation.



-- 
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*

home help back first fref pref prev next nref lref last post