If Linux Were As Popular As Windows...
Anonymous via the Cypherpunks Tonga Remailer
percent or whatever it is of personal computers ran on linux, would we see
endless patches of linux to fix the thousands of viruses that were aimed
at it?
Is windows really that much less secure than linux or is it just that
virus writers aren't interested in targetting linux?
Roy Schestowitz
18:32 \__
The short answer: Windows has got itself trapped. Over the years it has
adopted overly permissive and lenient mechanisms that neglected security.
Security seemed like a cost hat hindered functionality. Unauthorised in-
stallations and lacking verifications are one example. ActiveX controllers
are another.
It is probably too late to retract the mechanisms that people have come to
depend on. Linux has had security in mind all along. Its operation is not
build to permit ridiculous exploits. Many could argue it has been a strat-
egy, but also bear in mind that the hacker community (1), that which un-
derstands security, has always preferred Open Source and contributed to it
over the years. Linux has 'hacker awareness'.
Roy
[1] http://en.wikipedia.org/wiki/Hacker_community
--
Roy S. Schestowitz | Useless fact: Digits 772-777 of Pi are 999999
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
6:35pm up 27 days 1:46, 12 users, load average: 0.30, 0.39, 0.35
http://iuron.com - next generation of search paradigms
Madhusudan Singh
> If Windows disappeared and its place was taken by Linux, so that 95
> percent or whatever it is of personal computers ran on linux, would we see
> endless patches of linux to fix the thousands of viruses that were aimed
> at it?
A majority of the world's servers already run Linux / BSDs. And still no
serious long lasting exploits.
In windows, the network was an afterthought. Linux, like most unices, grew
up as a networked OS.
Ray Ingles
<nob...@cypherpunks.to> wrote:
> Is windows really that much less secure than linux or is it just that
> virus writers aren't interested in targetting linux?
Apache on Unix is by far the most popular web serving software.
Something like three-to-one over IIS. And yet most of the hacks and
worms target IIS, not Apache.
If Linux were the majority OS on the desktop, the malware problem would
still be present, but *vastly* reduced.
--
Sincerely,
Ray Ingles (313) 227-2317
Gillette plans on spending $300 million to promote a razor that
cost $750 million to develop. And people complain about 'waste'
when private donations totalling $134,500 are spent on SETI...
William Poaster
Remailer wrote:
> If Windows disappeared and its place was taken by Linux, so that 95
> percent or whatever it is of personal computers ran on linux, would we see
> endless patches of linux to fix the thousands of viruses that were aimed
> at it?
Unlikely - http://librenix.com/?inode=21
> Is windows really that much less secure than linux
Yes.
> or is it just that virus writers aren't interested in targetting linux?
They cannot do the damage to linux machines, that they can to windows ones:
Erik Funkenbusch
> On 2006-01-06, Anonymous via the Cypherpunks Tonga Remailer
> <nob...@cypherpunks.to> wrote:
>> Is windows really that much less secure than linux or is it just that
>> virus writers aren't interested in targetting linux?
>
> Apache on Unix is by far the most popular web serving software.
> Something like three-to-one over IIS. And yet most of the hacks and
> worms target IIS, not Apache.
Perhaps you'd care to back this up. Please name the IIS worm or hacks for
IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
years, and 33 for Apache, and not a single IIS based worm has surfaced
since the Code Red II era, but there has been worms on Linux, such as
Slapper, which while not wide spread, were certainly more than IIS based
ones.
Finally, Apache is only more popular by hostname, not server.
> If Linux were the majority OS on the desktop, the malware problem would
> still be present, but *vastly* reduced.
Hard to say, since the majority of malware is installed by social
engineering methods, which rely on the ignorance of users.
Erik Funkenbusch
> Anonymous via the Cypherpunks Tonga Remailer wrote:
>
>> If Windows disappeared and its place was taken by Linux, so that 95
>> percent or whatever it is of personal computers ran on linux, would we see
>> endless patches of linux to fix the thousands of viruses that were aimed
>> at it?
>
> A majority of the world's servers already run Linux / BSDs. And still no
> serious long lasting exploits.
Wrong.
> In windows, the network was an afterthought. Linux, like most unices, grew
> up as a networked OS.
Wrong. NT was designed with networking in mind. Unix had networking
bolted on to it.
Ray Ingles
>> In windows, the network was an afterthought. Linux, like most unices, grew
>> up as a networked OS.
>
> Wrong. NT was designed with networking in mind. Unix had networking
> bolted on to it.
But NT's design was crippled by having to be backwards-compatible with
the old operating systems. They've been working to fix that, but they
still don't have security on the brain. Witness all the problems they
are having with their LUA initiative.
Witness the recent WMF problem - it wasn't a buffer overflow or
anything, Microsoft *designed* an image format that could execute code.
They *wanted* images to be able to execute code, and they didn't
consider what malicious uses that could be put to. Didn't even cross
their minds, apparently.
--
Sincerely,
Ray Ingles (313) 227-2317
"The most likely way for the world to be destroyed, most experts
agree, is by accident. That's where we come in; we're computer
professionals. We cause accidents." - Nathaniel Borenstein
Erik Funkenbusch
>> or is it just that virus writers aren't interested in targetting linux?
>
> They cannot do the damage to linux machines, that they can to windows ones:
This assumes many things. First, it assumes that as more users use Linux,
that more "user friendly" software won't be developed that will override
the hoops users have to jump through to execute attachments. In fact, it's
highly likely that as a system gains more and more "laypeople", that
software will be written to their level.
Second, executing attachments is only one way. As your linked article
points out, vulnerabilities have existed in Unix/Linux mail readers that
allow arbitrary code executation as well, and those kind of flaws will
continue to be found, especially as more "average" to "poor" developers
start writing for the OS.
Third, Even if neither of the above happen, there are still attack vectors,
and attackers will simply concentrate on the vectors that ARE present, even
if some of the ones they've used on Windows don't exist on Linux. Security
is a chain, and having even one weak link kills the robustness of your
entire chain.
Ray Ingles
>> Something like three-to-one over IIS. And yet most of the hacks and
>> worms target IIS, not Apache.
>
> Perhaps you'd care to back this up. Please name the IIS worm or hacks for
> IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
> years, and 33 for Apache, and not a single IIS based worm has surfaced
> since the Code Red II era
Actually, IIS 6 *is* an improvement, though not universally deployed by
a long shot (still a lot of Code Red traffic out there). IIS sites still
get hacked, though, through other holes like these (SANS's #1
vulnerability of the year):
> but there has been worms on Linux, such as
> Slapper, which while not wide spread, were certainly more than IIS based
> ones.
That's a *Linux* (actually OpenSSL) worm, not an *Apache* worm. And it
barely spread anywhere *despite* the prevalence of Apache.
> Finally, Apache is only more popular by hostname, not server.
Do you have any actual evidence the numbers of Apache servers vs. IIS
servers are dramatically closer?
>> If Linux were the majority OS on the desktop, the malware problem would
>> still be present, but *vastly* reduced.
>
> Hard to say, since the majority of malware is installed by social
> engineering methods, which rely on the ignorance of users.
But Linux enforces a privilege separation that Windows doesn't. (Not
"can't" - witness Microsoft's frantic efforts to get developers to go
along with LUA - but "doesn't".)
--
Sincerely,
Ray Ingles (313) 227-2317
Exercise for the reader: What did the U.S. government spend more
money and time investigating - (a) Enron or (b) Monica Lewinsky?
Linønut
> On Fri, 06 Jan 2006 14:01:40 -0500, Madhusudan Singh wrote:
>>
>> A majority of the world's servers already run Linux / BSDs. And still no
>> serious long lasting exploits.
>
> Wrong.
Name one that's happened in the last 10 years.
>> In windows, the network was an afterthought. Linux, like most unices, grew
>> up as a networked OS.
>
> Wrong. NT was designed with networking in mind. Unix had networking
> bolted on to it.
Chuckle. You are not really even correct, in strict terms. First, by
the time NT came about, UNIX already had networking, and it was pretty
mature at that point. Certain more mature that you could say NT was,
even with the jump-start given by Cutler's team. UNIX may have had
networking bolted on initially, but, by the time NT was around,
networking was welded in place.
Second, as far as I know, NT only supported MS networking. If you
wanted TCP/IP, you had to buy a 3rd-party package. Same for Novell
Client networking, if I recall correctly.
--
I love the smell of code compiling in the morning. It smells like... Freedom.
Ray Ingles
>
> This assumes many things. First, it assumes that as more users use Linux,
> that more "user friendly" software won't be developed that will override
> the hoops users have to jump through to execute attachments. In fact, it's
> highly likely that as a system gains more and more "laypeople", that
> software will be written to their level.
Ubuntu shows an excellent model for this, with its sudo-based
administration. The user doesn't need to 'switch users' or anything to
do administration, but there is a very clear separation between normal
operation and system administration nonetheless.
Plus Linux (and developers for it) enforce a separation between data
and executables. Microsoft already found out why having
automatically-executing items in email is a bad thing; but it didn't
teach them enough to avoid the WMF fiasco with its executable images.
Oh, and they put hooks into .ASF files to execute code, too; I've heard
there are movie files out in the wild exploiting that.
I'm not too worried on that score. No, it's not impossible to infect a
Linux box, but it's noticeably harder, and the diversity of
distributions adds another layer of defense. An exploit that works on
one won't work on another, or else needs to be polymorphic, a much
harder job to write.
> Second, executing attachments is only one way. As your linked article
> points out, vulnerabilities have existed in Unix/Linux mail readers that
> allow arbitrary code executation as well, and those kind of flaws will
> continue to be found, especially as more "average" to "poor" developers
> start writing for the OS.
Sure, they are found, but (a) in my experience they are usually fixed
much faster on Linux, and (b) Linux updates are simpler and easier to
work with than Windows updates. For most distributions, there's a
central place to go to and *everything* on the system can get updated,
not just the OS and a few core apps.
> Third, Even if neither of the above happen, there are still attack vectors,
> and attackers will simply concentrate on the vectors that ARE present, even
> if some of the ones they've used on Windows don't exist on Linux. Security
> is a chain, and having even one weak link kills the robustness of your
> entire chain.
Security *isn't* a chain - or at least it shouldn't be. It's possible
to have "defense in depth". Even a Linux attack focused on one
distribution must first (a) get executed - note how few remote
vulnerabilites are found in Linux software - and then (b) find a way to
elevate privileges to root. The second step is usually not a factor on
Windows since so many people are running as administrator.
Adding in things like sandboxes (e.g. Java) and so forth adds a third
layer. And more layers are possible.
--
Sincerely,
Ray Ingles (313) 227-2317
To mess up a Linux box, you need to work at it;
to mess up your Windows box, you just need to work on it.
- Scott Granneman
Linønut
> Perhaps you'd care to back this up. Please name the IIS worm or hacks for
> IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
> years,
What are these?
http://www.frsirt.com/exploits/product/4549
It would appear that Secunia bears out your statement above if you stick
to version 6:
http://secunia.com/product/1438/
Microsoft Internet Information Services (IIS) 6
Vendor: Microsoft Product Affected By: 2 Secunia Advisories
> and 33 for Apache
billwg
"Anonymous via the Cypherpunks Tonga Remailer" <nob...@cypherpunks.to>
wrote in message news:200601061832...@mail.cypherpunks.to...
computer" OS and security wasn't much of an issue since it was as secure
as your wallet and keys, i.e. there was no way for a hacker to reach out
and touch you. There were on-line hackers then, but they had to be
satisfied with terminal connections to unix and mainframe machines. If
Windows went away, 95% of the computers in use would go away with it.
Unix and linux are poor performers in the home for the average person.
People have tried to do too much to soon with Windows in terms of
constant connectivity and more needs to be done to provide a robust and
secure environment that is still easy enough for the people to use on
their own.
Jim Richardson
Hash: SHA1
On Fri, 6 Jan 2006 13:57:52 -0600,
Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
> Third, Even if neither of the above happen, there are still attack vectors,
> and attackers will simply concentrate on the vectors that ARE present, even
> if some of the ones they've used on Windows don't exist on Linux. Security
> is a chain, and having even one weak link kills the robustness of your
> entire chain.
and thus, from Erik's mouth, the reason MS-Windows will always be more
vulnerable than Linux. MS-Windows has the weaker links.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDvtubd90bcYOAWPYRAiWYAJoD5mtiFpxipD2r+CiteyGcvM5qBACeJu7g
NrrfICEiZZc7I8ArFw9/1kA=
=iYSn
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
I might be crazier than you think
tha...@tux.glaci.remove-this.com
>
> Do you have any actual evidence the numbers of Apache servers vs. IIS
> servers are dramatically closer?
I believe netcraft breaks the numbers down that way, though I
have not looked at them in a while. I am not sure why the
Windows crowd would brag about a lower hostname per server
ratio, however. It just confirms that Linux is waaaaay better
when it comes to virtual hosting... a fact that ISPs have
known for some time.
Thad
billwg
"Ray Ingles" <sorc...@localhost.localdomain> wrote in message
news:slrndrtfhh....@localhost.localdomain...
>
> Apache on Unix is by far the most popular web serving software.
> Something like three-to-one over IIS. And yet most of the hacks and
> worms target IIS, not Apache.
>
> If Linux were the majority OS on the desktop, the malware problem
> would
> still be present, but *vastly* reduced.
>
since there isn't any critical usage and they can shave the price for
the the $4.99 per month crowd that swells the numbers. When you get to
the more important stuff, where people are willing to pay more for some
better results, there is a much higher incidence of IIS use. Those are
the sites that people try to hack the most as well.
But the discussion was about the desktop and viruses. These do not
involve web servers.
tha...@tux.glaci.remove-this.com
I'm sure this will get plenty of answers, but I'll throw my two
cents in anyway.
If Linux was on 95 percent of computers, yes, it would be
attacked more often. The impact, however, would be much
reduced. The reasons are:
The design and culture of Linux has its roots in multi-user
networked Unix environments. Linux does a better job of containing
security breaches to the account in which they originate. Windows
started as a single user, stand-alone system. Consequently, it is
more common for users and background processes to run with full
privilege, which increases risk. Note that much of this has to
do with administrative practices and interface design choices rather
than underlying OS capabilities. You CAN run with decent security
in Windows, but in practice many people do not because it is a pain
in the butt.
Linux is also helped by the prevalence of multiple distributions
and multi-platform support. An exploit is less likely to
spread widely when the environment is less homogeneous. A
buffer exploit becomes useless on a different instruction set
or when faced with even slight changes in software versions.
Linux's faster update cycle helps out here.
Fundamentally, open source software is more secure. The whole
many eyeballs finding bugs argument has been beat to death so I
won't go into it here; it is true, but only part of the story.
More important is the nature of secrets and their relation to
security. The more your software depends on secrets to be
secure, the more vulnerable it is; this is a basic principle
of encryption/security theory. If your algorithm is weak, it
makes no difference how good your password is. Similarly, if
your implementation of that algorithm is flawed, you are also
vulnerable. All code is open source to a person who reads
assembly (you can do some amazing things with SoftIce), so
hiding your flaws with binary releases is only a delaying
tactic at best. It takes only one person to figure out the
flaw, and suddenly your entire infrastructure needs replacing.
Your encryption key or password is the ONLY secret you should
ever have to rely on. If it is discovered, replacing it is
no big deal; it is designed for exactly that. Security is
well served when the algorithms it depends on are public and
peer reviewed. It is best served when the implementations
of those algorithms is equally peer reviewed.
So yes, increased Linux popularity will make it a bigger
target, but it will weather the storm better.
Thad
chrisv
> Windows derives from the PC days where it was intended to be a "personal
> computer" OS and security wasn't much of an issue since it was as secure
> as your wallet and keys, i.e. there was no way for a hacker to reach out
> and touch you.
That excuse may suffice for Win9X, but not for the NT-based XP. WAN's
were a reality when NT was conceived.
> Unix and linux are poor performers in the home for the average person.
Stupid lying troll. In what way does Linux "perform poorly"? The ONLY
thing Linux lacks is the wide array of shrink-wrapped software that
Windwoes has.
The Ghost In The Machine
<nob...@cypherpunks.to>
wrote
on Fri, 6 Jan 2006 19:32:30 +0100 (CET)
<200601061832...@mail.cypherpunks.to>:
Won't happen for several reasons.
[1] There's a lot of Windows application/client software out there.
A *lot*. Wander up and down a Fry's Electronics, a Comp USA,
or other such store. Fortunately, Linux has WinE and VmWare...
[2] Many servers are already based on solutions other than Microsoft.
[3] Linux and distros are more resistant to viruses, trojan horses,
and worms. One big reason: email systems on Linux don't allow
one to "click and execute the script"; it takes more work to
take a, say, shell script from mail to box.
[4] I don't know for sure but Linux distros generally encourage
users to run as someone other than root. Any malicious scripts
run won't be able to damage things quite as much, although
password capturing is still possible.
However, the virus writers will be interested in targetting Linux as
Linux becomes more popular; expect more exploits (though not nearly
as many as a certain other OS!) in the near future.
--
#191, ewi...@earthlink.net
It's still legal to go .sigless.
mlw
> On Fri, 06 Jan 2006 14:01:40 -0500, Madhusudan Singh wrote:
>
>> Anonymous via the Cypherpunks Tonga Remailer wrote:
>>
>>> If Windows disappeared and its place was taken by Linux, so that 95
>>> percent or whatever it is of personal computers ran on linux, would we
>>> see endless patches of linux to fix the thousands of viruses that were
>>> aimed at it?
>>
>> A majority of the world's servers already run Linux / BSDs. And still no
>> serious long lasting exploits.
>
> Wrong.
OK, name one.
>
>> In windows, the network was an afterthought. Linux, like most unices,
>> grew up as a networked OS.
>
> Wrong. NT was designed with networking in mind. Unix had networking
> bolted on to it.
I have to laugh Eric, if by "bolted on to it" you mean TCP/IP was designed
and developed to run on UNIX and provide communication between UNIX
machines before there was "networking," then yes you are right.
If when you say NT was designed with networking in mind, you mean NetBEUI
and not routable enterprise networking protocols, then yes, you are right
again.
GreyCloud
Sure... uh-huh.
But then NT never had security designed in either.
--
Where are we going?
And why am I in this handbasket?
AZ Nomad
>However, the virus writers will be interested in targetting Linux as
>Linux becomes more popular; expect more exploits (though not nearly
>as many as a certain other OS!) in the near future.
Yeah, I expect there to be thousand of times the number of worms/viruses
running around in just a few years. ZERO.
Linux just doesn't have the combination of a crap archetecture mated
with a crap company (ie: slow to report problems, slow to release fixes)
with most users running as root/admin.
Richard Rasker
NT was an admin's nightmare, sometimes needing several reboots per day,
but it had a quite elaborate security scheme designed in.
However, this 'security' was almost worse than no security, for being
illogical, opaque and too complex to use. I recall that for instance
resetting one type of permission caused several (but not all) other
related settings to be reset as well - which would require a second round
of checking *all* settings by the admin. Just one oversight in this
laborious task, and poof, no more security. Then there was the UI: just
those stupid, utterly time-consuming clickety-click Windows, offering
none of the powerful and lightning fast options a common *nix CLI offers,
which makes administering the latter such a breeze.
Richard Rasker
--
Linetec Translation and Technology Services
tha...@tux.glaci.remove-this.com
>
> I have to laugh Eric, if by "bolted on to it" you mean TCP/IP was designed
> and developed to run on UNIX and provide communication between UNIX
> machines before there was "networking," then yes you are right.
I found it funny also. The Internet stack was essentially invented
and developed as part of BSD Unix. Winsock was a kludge by comparison.
Thad
George Ellison
Not true. It also lacks a need for it.
Kier
>
> "Anonymous via the Cypherpunks Tonga Remailer" <nob...@cypherpunks.to>
> wrote in message news:200601061832...@mail.cypherpunks.to...
>> If Windows disappeared and its place was taken by Linux, so that 95
>> percent or whatever it is of personal computers ran on linux, would we
>> see
>> endless patches of linux to fix the thousands of viruses that were
>> aimed
>> at it?
>>
>> Is windows really that much less secure than linux or is it just that
>> virus writers aren't interested in targetting linux?
>>
> Windows derives from the PC days where it was intended to be a "personal
> computer" OS and security wasn't much of an issue since it was as secure
> as your wallet and keys, i.e. there was no way for a hacker to reach out
> and touch you. There were on-line hackers then, but they had to be
> satisfied with terminal connections to unix and mainframe machines. If
> Windows went away, 95% of the computers in use would go away with it.
There'd still be a functioning internet for teh rest of us to enjoy
without malware and viruses, though.
> Unix and linux are poor performers in the home for the average person.
Why? Linux PCs do just what Windows PCs do - provide apps for email,
web-surfing, image manipulation and sorting, CD burning, music creation,
databasing, word processsing, etc, etc.
> People have tried to do too much to soon with Windows in terms of
> constant connectivity and more needs to be done to provide a robust and
> secure environment that is still easy enough for the people to use on
> their own.
Linux is easy to use.
--
Kier
George Ellison
> mlw <m...@nospamnoway.zz> wrote:
> >
> > I have to laugh Eric, if by "bolted on to it" you mean TCP/IP was designed
> > and developed to run on UNIX and provide communication between UNIX
> > machines before there was "networking," then yes you are right.
>
> I found it funny also. The Internet stack was essentially invented
> and developed as part of BSD Unix.
Not to mention stolen by Microsoft (wonder if any of their NT adverts ever had
the BSD advertising clause before it was dropped in '99).
William Poaster
weary, came a tapping at my door when Ray Ingles posted this, & nothing
more...
> On 2006-01-06, Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
<Snip>
>> Hard to say, since the majority of malware is installed by social
>> engineering methods, which rely on the ignorance of users.
He's right there, after all don't the wintrolls keep saying that 90% of
PC's use M$ Windows? If that isn't a majority of malware, what is!
Besides, you can't get more ignorant than to install windows on your
machines in the first place, IMO. ;-)
> But Linux enforces a privilege separation that Windows doesn't. (Not
> "can't" - witness Microsoft's frantic efforts to get developers to go
> along with LUA - but "doesn't".)
--
98% of linux problems *windows* users whine about,
emanate from somewhere between the chair and the PC.
Either the person cannot read, doesn't understand
what they read, or they can't be bothered.
Chris H
> On Fri, 06 Jan 2006 14:01:40 -0500, Madhusudan Singh wrote:
>
>
>>Anonymous via the Cypherpunks Tonga Remailer wrote:
>>
>>
>>>If Windows disappeared and its place was taken by Linux, so that 95
>>>percent or whatever it is of personal computers ran on linux, would we see
>>>endless patches of linux to fix the thousands of viruses that were aimed
>>>at it?
>>
>>A majority of the world's servers already run Linux / BSDs. And still no
>>serious long lasting exploits.
>
>
> Wrong.
Hey Erik, if you think Apache/Linux is such a bad combination why do you
run funkenbusch.com in it?
>
>>In windows, the network was an afterthought. Linux, like most unices, grew
>>up as a networked OS.
>
>
> Wrong. NT was designed with networking in mind. Unix had networking
> bolted on to it.
--
C.
The Ghost In The Machine
<azn...@PmunOgeBOX.com>
wrote
on Fri, 06 Jan 2006 22:18:52 GMT
<slrndrtr6o....@ip70-176-155-130.ph.ph.cox.net>:
> On Fri, 06 Jan 2006 22:00:10 GMT, The Ghost In The Machine <ew...@sirius.tg00suus7038.net> wrote:
>
>>However, the virus writers will be interested in targetting Linux as
>>Linux becomes more popular; expect more exploits (though not nearly
>>as many as a certain other OS!) in the near future.
>
> Yeah, I expect there to be thousand of times the number of worms/viruses
> running around in just a few years. ZERO.
It's not quite zero. Li0n in particular was a virus against
a particular version of Apache on RedHat.
But it's far less than 100,000.... :-)
>
> Linux just doesn't have the combination of a crap archetecture mated
> with a crap company (ie: slow to report problems, slow to release fixes)
> with most users running as root/admin.
>
Agreed. But that doesn't make it invulnerable, just highly resistant.
GreyCloud
Hehe.. looks like David Cutler had a brain fart that day trying to
remember how VMS did it.
Sinister Midget
> On 6 Jan 2006 13:54:46 -0500, Ray Ingles wrote:
>
>> On 2006-01-06, Anonymous via the Cypherpunks Tonga Remailer
>> <nob...@cypherpunks.to> wrote:
>>> Is windows really that much less secure than linux or is it just that
>>> virus writers aren't interested in targetting linux?
>>
>> Something like three-to-one over IIS. And yet most of the hacks and
>> worms target IIS, not Apache.
>
> IIS,
http://www.cert.org/advisories/CA-2001-11.html
http://vil.nai.com/vil/content/v_99202.htm
http://www.theregister.co.uk/2001/05/08/worm_puts_old_iis_attack/
http://www.viruslibrary.com/virusinfo/IIS-Worm.IISWorm.htm
> since there's only been 2 vulnerabilities affecting IIS in the last 3
> years
Nice try at limiting the damage. But I don't see a time period in his
statement. Which one do you see?
> and 33 for Apache,
Worms, viruses. Not vulnerabilities.
> and not a single IIS based worm has surfaced since the Code Red II
> era, but there has been worms on Linux, such as Slapper, which while
> not wide spread, were certainly more than IIS based ones.
Along with all of the other Apache worms, that makes...hmm, let's
see...carry the one....multiply by the total numbers....divide by the
difference....multiply by the octal root...about one. Or two.
How many have there been since Apache was first created, Ewik? How many
for IIS since /it's/ inception (which came later, by the by)?
> Finally, Apache is only more popular by hostname, not server.
Lather, rinse, repeat. But you're supposed to be using *shampoo*, not
shit.
One more time for the audience: it takes *how many* IIS servers to do
the same level of tasks as one linux server (approximation is OK, as
long as a reasonable effort at accuracy is attempted)?
I thought they retired that dance of yours a couple of years ago. I
guess you just can't let go, can you?
--
Wayphiser: Innovative Microsoft peer-to-peer software.
Sinister Midget
>
>>> or is it just that virus writers aren't interested in targetting linux?
>>
>> They cannot do the damage to linux machines, that they can to windows ones:
>
> This assumes many things.
Yeah. But *none* of them have anything to do with you being honest,
consistent or willing to back the specious claims you make when called
on them.
--
After seeing Windows I realize Bill Gates is an idiot.
Erik Funkenbusch
>> Perhaps you'd care to back this up. Please name the IIS worm or hacks for
>> IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
>> years, and 33 for Apache, and not a single IIS based worm has surfaced
>> since the Code Red II era
>
> Actually, IIS 6 *is* an improvement, though not universally deployed by
> a long shot (still a lot of Code Red traffic out there). IIS sites still
> get hacked, though, through other holes like these (SANS's #1
> vulnerability of the year):
>
> http://www.sans.org/top20/#w1
Right, but that's a far cry from your original claim.
>> but there has been worms on Linux, such as
>> Slapper, which while not wide spread, were certainly more than IIS based
>> ones.
>
> That's a *Linux* (actually OpenSSL) worm, not an *Apache* worm. And it
> barely spread anywhere *despite* the prevalence of Apache.
Actually, it does take advantage of Apache as well.
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
"Each variant of the family targets vulnerable installations of the Apache
Web server on Linux operating systems"
>> Finally, Apache is only more popular by hostname, not server.
>
> Do you have any actual evidence the numbers of Apache servers vs. IIS
> servers are dramatically closer?
The most recent numbers are from 2001, but the ratio of sites on IIS to
non-IIS has stayed roughly the same.
http://survey.netcraft.com/index-200106.html. While this only shows OS,
and theoretically could have a large percentage of servers running Apache
on Windows, and certainly Apache has become more popular on Windows in
recent years, the vast majority of sites running on Windows run IIS.
>>> If Linux were the majority OS on the desktop, the malware problem would
>>> still be present, but *vastly* reduced.
>>
>> Hard to say, since the majority of malware is installed by social
>> engineering methods, which rely on the ignorance of users.
>
> But Linux enforces a privilege separation that Windows doesn't. (Not
> "can't" - witness Microsoft's frantic efforts to get developers to go
> along with LUA - but "doesn't".)
Not really. Linspire, for instance, runs everything as Root. My point is,
just because most distro's do that today, doesn't mean they all will
forever, especially when faced with less than a growing non-savvy user
basy.
Erik Funkenbusch
> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
>> On Fri, 06 Jan 2006 14:01:40 -0500, Madhusudan Singh wrote:
>>>
>>> A majority of the world's servers already run Linux / BSDs. And still no
>>> serious long lasting exploits.
>>
>> Wrong.
>
> Name one that's happened in the last 10 years.
The "Wrong" was in regards to "A majority of the words servers already run
Linux / BSD's."
>>> In windows, the network was an afterthought. Linux, like most unices, grew
>>> up as a networked OS.
>>
>> Wrong. NT was designed with networking in mind. Unix had networking
>> bolted on to it.
>
> Chuckle. You are not really even correct, in strict terms. First, by
> the time NT came about, UNIX already had networking, and it was pretty
> mature at that point. Certain more mature that you could say NT was,
> even with the jump-start given by Cutler's team. UNIX may have had
> networking bolted on initially, but, by the time NT was around,
> networking was welded in place.
I agree that Networking was definately very mature, but that's a different
argument than the original poster made.
> Second, as far as I know, NT only supported MS networking. If you
> wanted TCP/IP, you had to buy a 3rd-party package. Same for Novell
> Client networking, if I recall correctly.
No, NT had TCP/IP from the get go.
Erik Funkenbusch
>> This assumes many things. First, it assumes that as more users use Linux,
>> that more "user friendly" software won't be developed that will override
>> the hoops users have to jump through to execute attachments. In fact, it's
>> highly likely that as a system gains more and more "laypeople", that
>> software will be written to their level.
>
> Ubuntu shows an excellent model for this, with its sudo-based
> administration. The user doesn't need to 'switch users' or anything to
> do administration, but there is a very clear separation between normal
> operation and system administration nonetheless.
That model has the disadvantage that it trains users to simply type in
their password everytime someone asks for it. This will lead to spoofing
compromises in the future. It also gets annoying. OSX uses a similar
model, and recently I upgraded Adobe Creative Suite 2, and literally had to
type my password 15 times every 2 minutes. Talk about annoying.
> Plus Linux (and developers for it) enforce a separation between data
> and executables.
You're still ignoring that this is largely a policy, and can be overridden
easily. For example, suppose there's a buffer overflow in your web browser
or email application that allows execution of arbitrary code. You don't
need to set any bits on the data, and you could execute a command that, for
instance, changes the users umode to set everything executable by default.
These 'barriers' are not barriers for long.
> I'm not too worried on that score. No, it's not impossible to infect a
> Linux box, but it's noticeably harder, and the diversity of
> distributions adds another layer of defense. An exploit that works on
> one won't work on another, or else needs to be polymorphic, a much
> harder job to write.
That's something virus writers are already doing on Windows, for example
the RPC vulnerabilities required different code depending on what OS they
ran on.
Erik Funkenbusch
> Erik Funkenbusch wrote:
>>>A majority of the world's servers already run Linux / BSDs. And still no
>>>serious long lasting exploits.
>>
>> Wrong.
>
> Hey Erik, if you think Apache/Linux is such a bad combination why do you
> run funkenbusch.com in it?
I didn't say it was. Why is it that people like yourself interpret "Apache
doesn't run on the majority of the servers" with "Apache sucks". I said
the first, not the latter.
AZ Nomad
>In comp.os.linux.advocacy, AZ Nomad
><azn...@PmunOgeBOX.com>
> wrote
>on Fri, 06 Jan 2006 22:18:52 GMT
><slrndrtr6o....@ip70-176-155-130.ph.ph.cox.net>:
>> On Fri, 06 Jan 2006 22:00:10 GMT, The Ghost In The Machine <ew...@sirius.tg00suus7038.net> wrote:
>>
>>>However, the virus writers will be interested in targetting Linux as
>>>Linux becomes more popular; expect more exploits (though not nearly
>>>as many as a certain other OS!) in the near future.
>>
>> Yeah, I expect there to be thousand of times the number of worms/viruses
>> running around in just a few years. ZERO.
>It's not quite zero. Li0n in particular was a virus against
>a particular version of Apache on RedHat.
How many systems right now are infected with it? How many new infections?
>But it's far less than 100,000.... :-)
yes. About 100,000 less.
>>
>> Linux just doesn't have the combination of a crap archetecture mated
>> with a crap company (ie: slow to report problems, slow to release fixes)
>> with most users running as root/admin.
>>
>Agreed. But that doesn't make it invulnerable, just highly resistant.
That's all it takes. It's like the difference between a fuel tank with a 13:1
fuel air mixture and one with a 0.0001:1 mixture. The latter is so far less
likely to explode then it really isn't a factor.
Tim Smith
The Ghost In The Machine <ew...@sirius.tg00suus7038.net> wrote:
> It's not quite zero. Li0n in particular was a virus against
> a particular version of Apache on RedHat.
The Li0n worm attacked BIND, not Apache, and it worked on pretty much
every Linux that used BIND at the time, including Redhat, SuSE, Debian,
and Slackware.
--
--Tim Smith
Fritz Wuehler
> Proven liar billwg wrote:
>
>> Windows derives from the PC days where it was intended to be a "personal
>> computer" OS and security wasn't much of an issue since it was as secure
>> as your wallet and keys, i.e. there was no way for a hacker to reach out
>> and touch you.
>
> That excuse may suffice for Win9X, but not for the NT-based XP. WAN's
> were a reality when NT was conceived.
>
>> Unix and linux are poor performers in the home for the average person.
>
> Stupid lying troll. In what way does Linux "perform poorly"? The ONLY
> thing Linux lacks is the wide array of shrink-wrapped software that
> Windwoes has.
Yeah, that really is bullshit. I am almost a stereotype of an ignorant,
lazy, home user of a computer, and I find Linux easier to use than
windows. God knows it does everything I want it to do, including
downloading videos from my videocam and burning them to dvd (kino and
dvdstyler - both with nice guis); and the feeling of not being smothered
with tons of blubber in every application is like driving a car after
finally changing the oil after 50k miles.
It's not bad either that I got it for the price of a download and burning
a CD.
Cyberwasteland
BWWAAAHAAAHAA!!!!!
That's hilarious!!
Larry Qualig
Linønutlinøn...@bone.com wrote:
> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
> > IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
> > years,
>
>
> http://www.frsirt.com/exploits/product/4549
Dunno??? What are those?
If I search for IIS exploits I get this returned back to me. So if I'm
reading it right there are a total of 7 exploits going back to April
8th, 2005.
Search Results :
19.12.2005 : Microsoft IIS HTTP Requests Remote Denial of Service
Vulnerability
06.12.2005 : IISWorks ASP Knowledge Base "kb.asp" Cross Site
Scripting Issue
23.08.2005 : Microsoft IIS Remote "SERVER_NAME" Spoofing
Vulnerability
10.05.2005 : Macromedia ColdFusion MX Error Page Cross Site
Scripting Issue
07.05.2005 : RSA SecurID Web Agent Remote Buffer Overflow
Vulnerabilities
15.04.2005 : RSA Authentication Agent For Web Cross Site Scripting
Vulnerability
08.04.2005 : Macromedia ColdFusion MX Updater File Disclosure
Vulnerability
But if I search for "Apache" instead of "IIS" I get the following
list. How do you read this?
Search Results :
06.01.2006 : Mod_auth_pgsql Module for Apache Multiple Format String
Vulnerabilities
06.01.2006 : Redhat Security Update Fixes Apache Cross Site
Scripting and DoS
06.01.2006 : Mandriva Security Update Fixes Apache Cross Site
Scripting and DoS
06.01.2006 : Apache "mod_ssl" Custom Error Remote Denial Of Service
Vulnerability
05.01.2006 : Trustix Security Update Fixes Multiple Package
Vulnerabilities
20.12.2005 : Mandriva Security Update Fixes Apache "worker" Module
Vulnerability
15.12.2005 : OpenPKG Security Update Fixes Apache Cross Site
Scripting Issue
13.12.2005 : Apache mod_imap "Referer" Directive Cross Site
Scripting Vulnerability
07.12.2005 : Ubuntu Security Update Fixes Apache "worker" Module
Vulnerability
06.12.2005 : Sun Java System Application Server Reverse SSL Proxy
Plugin Issue
03.12.2005 : SuSE Security Update Fixes Multiple Packages
Vulnerabilities
29.11.2005 : Apple Security Update Fixes Multiple Mac OS X
Vulnerabilities
22.11.2005 : Struts Error Messages Handling Cross Site Scripting
Vulnerability
17.11.2005 : HP-UX Apache Web Server Security Bypass and Denial of
Service
09.11.2005 : SpamAssassin Remote Denial of Service and Security
Bypass Issue
07.11.2005 : Slackware Security Update Fixes Multiple Apache
Vulnerabilities
02.11.2005 : Redhat Security Update Fixes Multiple Package
Vulnerabilities
31.10.2005 : PHP Security Update Fixes Multiple Restriction Bypass
Vulnerabilities
28.10.2005 : Mandriva Security Update Fixes "mod_auth_shadow "
Security Bypass
19.10.2005 : Apache HTTP Server Security Update Fixes Multiple
Vulnerabilities
14.10.2005 : Apache HTTP Server Security Update Fixes Multiple
Vulnerabilities
07.10.2005 : HP-UX Apache "SSLVerifyClient" Directive Security
Bypass Vulnerability
04.10.2005 : Debian Security Update Fixes ApacheTop Temporary File
Creation
01.10.2005 : ApacheTop "apachetop.cc" Insecure Temporary File
Creation Issue
19.09.2005 : Gentoo Security Update Fixes Apache and mod_ssl
Vulnerabilities
12.09.2005 : SuSE Security Update Fixes Multiple Apache httpd
Vulnerabilities
11.09.2005 : Trustix Security Update Fixes Multiple Package
Vulnerabilities
09.09.2005 : Debian Security Update Fixes Multiple Apache2
Vulnerabilities
09.09.2005 : Mandriva Security Update Fixes Multiple Apache2
Vulnerabilities
08.09.2005 : Fedora Security Update Fixes Multiple Apache httpd
Vulnerabilities
08.09.2005 : Debian Security Update Fixes Multiple Apache
Vulnerabilities
07.09.2005 : Ubuntu Security Update Fixes Multiple Apache httpd
Vulnerabilities
07.09.2005 : Redhat Security Update Fixes Multiple Apache httpd
Vulnerabilities
06.09.2005 : OpenPKG Security Update Fixes Mod_SSL Security Bypass
Issue
05.09.2005 : Apache PCRE "pcre_compile.c" Local Integer Overflow
Vulnerability
01.09.2005 : Trustix Security Update Fixes Multiple Package PCRE
Vulnerabilities
30.08.2005 : Mandriva Security Update Fixes Apache2/PCRE Buffer
Overflow Issue
25.08.2005 : Gentoo Security Update Fixes Apache Denial of Service
Vulnerability
16.08.2005 : SuSE Linux Security Update Fixes Multiple Apache
Vulnerabilities
16.08.2005 : Apple Security Update Fixes Multiple Mac OS X
Vulnerabilities
15.08.2005 : SGI Advanced Linux Environment Updates Fixes Multiple
Issues
11.08.2005 : Sun Security Update Fixes Multiple Solaris / Apache
Vulnerabilities
10.08.2005 : Trustix Security Update Fixes Multiple Apache
Vulnerabilities
04.08.2005 : Ubuntu Security Update Fixes Multiple Apache2
Vulnerabilities
03.08.2005 : Mandriva Security Update Fixes Apache Cross Site
Scripting Issue
03.08.2005 : Mandriva Security Update Fixes Multiple Apache2
Vulnerabilities
02.08.2005 : nCipher CHIL "HWCryptoHook_RandomBytes" Random Cache
Leakage
02.08.2005 : Fedora Security Update Fixes Multiple Apache
Vulnerabilities
02.08.2005 : Trustix Security Update Fixes Multiple Package
Vulnerabilities
29.07.2005 : SuSE Security Update Fixes Multiple Package
Vulnerabilities
25.07.2005 : Redhat Security Update Fixes Multiple Apache
Vulnerabilities
25.07.2005 : Apache 2.x CRL Verification Callback Buffer Overflow
Vulnerability
11.07.2005 : SuSE Security Update Fixes PEAR XML_RPC Code Execution
Issue
17.06.2005 : SpamAssassin Message Header Remote Denial of Service
Issue
27.05.2005 : Ubuntu Security Update Fixes Apache htpasswd
Vulnerability
10.05.2005 : Macromedia ColdFusion MX Error Page Cross Site
Scripting Issue
06.05.2005 : Ubuntu Security Update Fixes Apache htdigest
Vulnerability
03.05.2005 : Apple Security Update Fixes Multiple Mac OS X
Vulnerabilities
08.04.2005 : Macromedia ColdFusion MX Updater File Disclosure
Vulnerability
15.03.2005 : Apache Tomcat "AJP12" Remote Denial Of Service
Vulnerability
10.02.2005 : Apache "mod_python" Publisher Handler Information
Disclosure
>
> It would appear that Secunia bears out your statement above if you stick
> to version 6:
>
> http://secunia.com/product/1438/
>
> Microsoft Internet Information Services (IIS) 6
>
> Vendor: Microsoft Product Affected By: 2 Secunia Advisories
>
> > and 33 for Apache
>
> --
> I love the smell of code compiling in the morning. It smells like... Freedom.
Peter Köhlmann
< snip >
> 02.08.2005 : Fedora Security Update Fixes Multiple Apache
> Vulnerabilities
> 02.08.2005 : Trustix Security Update Fixes Multiple Package
> Vulnerabilities
> 29.07.2005 : SuSE Security Update Fixes Multiple Package
> Vulnerabilities
> 25.07.2005 : Redhat Security Update Fixes Multiple Apache
> Vulnerabilities
Like those, yes? Your list is littered with multiple references to the exact
same updates
Talk about widiots being disingenious, lying and being outright dishonest
You are a prime example
--
Another name for a Windows tutorial is crash course
Chris H
I'm not just talking about this current little disagreement over server
numbers Erik, I'm talking about your general attitude towards open
source and Linux in particular. You obviously have deep seated issues
with Linux or you wouldn't be here defending MS at the drop of a hat.
You obviously feel very strongly, and tell us constantly, that Windows
is superior so why are you running Suse to host your domain? You tell us
that IIS 6 is secure yet use Apache.
Is there any other explanation other than you are a hypocrite?
--
C.
Robert Newson
None of which indicates it's been fixed.
> But if I search for "Apache" instead of "IIS" I get the following
> list. How do you read this?
More like this:
> Search Results :
> 06.01.2006 : Mod_auth_pgsql Module for Apache Multiple Format String
> Vulnerabilities
> 06.01.2006 : Apache "mod_ssl" Custom Error Remote Denial Of Service
> Vulnerability
> 13.12.2005 : Apache mod_imap "Referer" Directive Cross Site
> Scripting Vulnerability
> 22.11.2005 : Struts Error Messages Handling Cross Site Scripting
> Vulnerability
> 01.10.2005 : ApacheTop "apachetop.cc" Insecure Temporary File
> Creation Issue
> 05.09.2005 : Apache PCRE "pcre_compile.c" Local Integer Overflow
> Vulnerability
> 25.07.2005 : Apache 2.x CRL Verification Callback Buffer Overflow
> Vulnerability
> 15.03.2005 : Apache Tomcat "AJP12" Remote Denial Of Service
> Vulnerability
> 10.02.2005 : Apache "mod_python" Publisher Handler Information
> Disclosure
> 17.11.2005 : HP-UX Apache Web Server Security Bypass and Denial of
> Service
> 07.10.2005 : HP-UX Apache "SSLVerifyClient" Directive Security
> Bypass Vulnerability
> 10.05.2005 : Macromedia ColdFusion MX Error Page Cross Site
> Scripting Issue
> 08.04.2005 : Macromedia ColdFusion MX Updater File Disclosure
> Vulnerability
> 02.08.2005 : nCipher CHIL "HWCryptoHook_RandomBytes" Random Cache
> Leakage
> 09.11.2005 : SpamAssassin Remote Denial of Service and Security
> Bypass Issue
> 17.06.2005 : SpamAssassin Message Header Remote Denial of Service
> Issue
> 06.12.2005 : Sun Java System Application Server Reverse SSL Proxy
> Plugin Issue
Complete with FIXES to issues:
> 19.10.2005 : Apache HTTP Server Security Update Fixes Multiple
> Vulnerabilities
> 14.10.2005 : Apache HTTP Server Security Update Fixes Multiple
> Vulnerabilities
> 29.11.2005 : Apple Security Update Fixes Multiple Mac OS X
> Vulnerabilities
> 16.08.2005 : Apple Security Update Fixes Multiple Mac OS X
> Vulnerabilities
> 03.05.2005 : Apple Security Update Fixes Multiple Mac OS X
> Vulnerabilities
> 04.10.2005 : Debian Security Update Fixes ApacheTop Temporary File
> Creation
> 09.09.2005 : Debian Security Update Fixes Multiple Apache2
> Vulnerabilities
> 08.09.2005 : Debian Security Update Fixes Multiple Apache
> Vulnerabilities
> 19.09.2005 : Gentoo Security Update Fixes Apache and mod_ssl
> Vulnerabilities
> 25.08.2005 : Gentoo Security Update Fixes Apache Denial of Service
> Vulnerability
> 06.01.2006 : Mandriva Security Update Fixes Apache Cross Site
> Scripting and DoS
> 20.12.2005 : Mandriva Security Update Fixes Apache "worker" Module
> Vulnerability
> 28.10.2005 : Mandriva Security Update Fixes "mod_auth_shadow "
> Security Bypass
> 09.09.2005 : Mandriva Security Update Fixes Multiple Apache2
> Vulnerabilities
> 30.08.2005 : Mandriva Security Update Fixes Apache2/PCRE Buffer
> Overflow Issue
> 03.08.2005 : Mandriva Security Update Fixes Apache Cross Site
> Scripting Issue
> 03.08.2005 : Mandriva Security Update Fixes Multiple Apache2
> Vulnerabilities
> 15.12.2005 : OpenPKG Security Update Fixes Apache Cross Site
> Scripting Issue
> 06.09.2005 : OpenPKG Security Update Fixes Mod_SSL Security Bypass
> Issue
> 31.10.2005 : PHP Security Update Fixes Multiple Restriction Bypass
> Vulnerabilities
> 06.01.2006 : Redhat Security Update Fixes Apache Cross Site
> Scripting and DoS
> 02.11.2005 : Redhat Security Update Fixes Multiple Package
> Vulnerabilities
> 08.09.2005 : Fedora Security Update Fixes Multiple Apache httpd
> Vulnerabilities
> 07.09.2005 : Redhat Security Update Fixes Multiple Apache httpd
> Vulnerabilities
> 02.08.2005 : Fedora Security Update Fixes Multiple Apache
> Vulnerabilities
> 25.07.2005 : Redhat Security Update Fixes Multiple Apache
> Vulnerabilities
> 15.08.2005 : SGI Advanced Linux Environment Updates Fixes Multiple
> Issues
> 07.11.2005 : Slackware Security Update Fixes Multiple Apache
> Vulnerabilities
> 11.08.2005 : Sun Security Update Fixes Multiple Solaris / Apache
> Vulnerabilities
> 03.12.2005 : SuSE Security Update Fixes Multiple Packages
> Vulnerabilities
> 12.09.2005 : SuSE Security Update Fixes Multiple Apache httpd
> Vulnerabilities
> 16.08.2005 : SuSE Linux Security Update Fixes Multiple Apache
> Vulnerabilities
> 29.07.2005 : SuSE Security Update Fixes Multiple Package
> Vulnerabilities
> 11.07.2005 : SuSE Security Update Fixes PEAR XML_RPC Code Execution
> Issue
> 05.01.2006 : Trustix Security Update Fixes Multiple Package
> Vulnerabilities
> 11.09.2005 : Trustix Security Update Fixes Multiple Package
> Vulnerabilities
> 01.09.2005 : Trustix Security Update Fixes Multiple Package PCRE
> Vulnerabilities
> 10.08.2005 : Trustix Security Update Fixes Multiple Apache
> Vulnerabilities
> 02.08.2005 : Trustix Security Update Fixes Multiple Package
> Vulnerabilities
> 07.12.2005 : Ubuntu Security Update Fixes Apache "worker" Module
> Vulnerability
> 07.09.2005 : Ubuntu Security Update Fixes Multiple Apache httpd
> Vulnerabilities
> 04.08.2005 : Ubuntu Security Update Fixes Multiple Apache2
> Vulnerabilities
> 27.05.2005 : Ubuntu Security Update Fixes Apache htpasswd
> Vulnerability
> 06.05.2005 : Ubuntu Security Update Fixes Apache htdigest
> Vulnerability
Note that each of these fixes is generally by a specific distributor and so
the same fix may be supplied in more than one group.
Jesse F. Hughes
I will be concerned only when a major, pre-existing distro moves
towards root-by-default. The fact that Linspire suffers from
remarkably dumb design is not symptomatic of Linux in general.
Anyway, I'm not sure about Linspire. I thought they had moved away
from root-by-default. Anyone know about them?
--
"Now I'm informing all of you that the people arguing against me are EVIL,
yes they are real, live EVIL people as mathematics is that important, so
it's important enough for Evil itself to send minions like them."
-- James Harris on Evil's interest in Algebraic Number Theory
William Poaster
weary, came a tapping at my door when Sinister Midget posted this, &
nothing more...
> On 2006-01-06, Erik Funkenbusch <er...@despam-funkenbusch.com> posted
> something concerning:
>> On Fri, 06 Jan 2006 19:15:55 +0000, William Poaster wrote:
>>
>>>> or is it just that virus writers aren't interested in targeting
>>>> linux?
>>>
>>> They cannot do the damage to linux machines, that they can to windows
>>> ones:
>>
>> This assumes many things.
>
> Yeah. But *none* of them have anything to do with you being honest,
> consistent or willing to back the specious claims you make when called on
> them.
It seems Ewik FUDboi was replying to my post to the troll? I suppose he
didn't read the links, as he still wants to believe M$'s "Big Lie".
About 10 years ago (or so), Windows was far more open than typical Linux
distributions. Even today, Windows was is *still* more open than Linux
was 7-10 years ago. Only the utterly naive, the wilfully ignorant, or the
completely clueless do not see (or do not WANT to see) the difference
between Windows & all distributions of UNIX-like systems for the last 30
years. Only Windows does the UNIX equivalent of requiring *all* user
applications to *always* run as root, & *only* Windows has always been
*intentionally* designed and built to treat data *from anywhere* as
programs.
Jim Richardson
Hash: SHA1
On 6 Jan 2006 12:54:19 -0800,
Larry Qualig <lqu...@uku.co.uk> wrote:
you mean other than the fact that many of these are duplicates of the
same flaw? or aren't actually a flaw in apache at all ? (hint, apachetop
is not a part of apache, it's a "top for apache" if you are familiar
with the *nix top util.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDv4jUd90bcYOAWPYRAoscAJ9U7xFNoR5tF/Jxhr0+6Ji4YRMMgwCfUVHO
fa0B2KMg8rExrNH823azaAs=
=4dpV
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
The race isn't always to the swift, nor the battle to the strong,
But it's the safest way to bet.
William Poaster
weary, came a tapping at my door when Jesse F. Hughes posted this, &
nothing more...
> Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>
>>On 6 Jan 2006 15:09:43 -0500, Ray Ingles wrote:
>>> But Linux enforces a privilege separation that Windows doesn't. (Not
>>> "can't" - witness Microsoft's frantic efforts to get developers to go
>>> along with LUA - but "doesn't".)
>>
>> Not really. Linspire, for instance, runs everything as Root. My point
>> is, just because most distro's do that today, doesn't mean they all will
>> forever, especially when faced with less than a growing non-savvy user
>> basy.
>
> I will be concerned only when a major, pre-existing distro moves towards
> root-by-default. The fact that Linspire suffers from remarkably dumb
> design is not symptomatic of Linux in general.
>
> Anyway, I'm not sure about Linspire. I thought they had moved away from
> root-by-default. Anyone know about them?
It would seem, from this post on a website (dated December 2005), that
they still run as root. I have seen Micheal Robertson defending his view
that there isn't any added security value to running as a non-privileged
user in a linux magazine.
http://www.newlinuxuser.com/the-free-world-day-to-day-operations-as-root/
I note too, from the comments published there & in other linux newsgroups,
that the majority disagree with Robertson (as do I). I run two distros on
my machines, SuSE & Mandriva, both of which are also "hardened". I have a
test machine where I run other distros (debian, slack, xandros, etc) but
I've never tried Linspire....nor do I intend to.
Robert Newson
...
> However, the virus writers will be interested in targetting Linux as
> Linux becomes more popular; expect more exploits (though not nearly
> as many as a certain other OS!) in the near future.
According to the server web site (supplied by Erik:
http://survey.netcraft.com/index-200106.html), in 2001 Linux accounted for
~29% of the servers (running Apache[1] serving ~63% of the domain[
content]s) whereas Windows accounted for ~49% (serving ~20%) - this being a
~+ve change for Apache, a ~-ve change for IIs. If popularity was the main
factor in attacking an OS, then why aren't more *nix servers attacked as
that'll do more "damage" to more sites when successful - having compromised
the server *more than THREE times* the number of sites will be accessible:
providing access to the private stored data on those sites (CC details, etc?).
[1] That presumes that Windows only runs IIs and that all the Apache servers
are running on *nix with multiple hosts on each (~1/2 the servers - Windows
boxes - can only serve ~1/5 the domains with IIs: each Apache server is
serving ~2/3 the domans, or ~3 domains each!). It is more likely that
Apache is also running on Windows - the stats fail to state the OS/Server
combination figures which would make the conclusions possible - but multiple
domain hosting can't be ruled out.
Kier
> Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>
>>On 6 Jan 2006 15:09:43 -0500, Ray Ingles wrote:
>>> But Linux enforces a privilege separation that Windows doesn't. (Not
>>> "can't" - witness Microsoft's frantic efforts to get developers to go
>>> along with LUA - but "doesn't".)
>>
>> Not really. Linspire, for instance, runs everything as Root. My point is,
>> just because most distro's do that today, doesn't mean they all will
>> forever, especially when faced with less than a growing non-savvy user
>> basy.
>
> I will be concerned only when a major, pre-existing distro moves
> towards root-by-default. The fact that Linspire suffers from
> remarkably dumb design is not symptomatic of Linux in general.
I don't see why Linux becoming more popular should result in all distros
deciding run-as-root is the best way to go.
>
> Anyway, I'm not sure about Linspire. I thought they had moved away
> from root-by-default. Anyone know about them?
I recall an interview in LXF magazine which seemed to suggest they were
still doing it, but that the default state of the distro was to have
everything properly firewalled and protected.
--
Kier
Linønut
> Richard Rasker wrote:
>
>> NT was an admin's nightmare, sometimes needing several reboots per day,
>> but it had a quite elaborate security scheme designed in.
>> However, this 'security' was almost worse than no security, for being
>> illogical, opaque and too complex to use. I recall that for instance
>> resetting one type of permission caused several (but not all) other
>> related settings to be reset as well - which would require a second round
>> of checking *all* settings by the admin. Just one oversight in this
>> laborious task, and poof, no more security. Then there was the UI: just
>> those stupid, utterly time-consuming clickety-click Windows, offering
>> none of the powerful and lightning fast options a common *nix CLI offers,
>> which makes administering the latter such a breeze.
NT 3.5 was excruciatingly brittle.
NT 4 was better, but only a little at first. It took it a couple years
to become halfway stable.
> Hehe.. looks like David Cutler had a brain fart that day trying to
> remember how VMS did it.
And he probably had Gates standing behind him, drywashing his hands and
cackling, peeking over his shoulder, hissing words like some Microsoft
Mephistopheles®:
"Put the graphics in the kernel. Do it. Do It. DOOOOO IIIIIIT!"
Linønut
> Along with all of the other Apache worms, that makes...hmm, let's
> see...carry the one....multiply by the total numbers....divide by the
> difference....multiply by the octal root...about one. Or two.
>
> How many have there been since Apache was first created, Ewik? How many
> for IIS since /it's/ inception (which came later, by the by)?
>
>> Finally, Apache is only more popular by hostname, not server.
>
> Lather, rinse, repeat. But you're supposed to be using *shampoo*, not
> shit.
>
> One more time for the audience: it takes *how many* IIS servers to do
> the same level of tasks as one linux server (approximation is OK, as
> long as a reasonable effort at accuracy is attempted)?
>
> I thought they retired that dance of yours a couple of years ago. I
> guess you just can't let go, can you?
Another thing to consider is the Weibel curve:
http://www.openchannelfoundation.org/projects/SPRPM/
You can use it to compare two software projects. I remember looking at
the defects for Firefox versus IE, and noting that Firefox was earlier
in its lifetime, and yet had defect numbers comparable to IE.
Maybe someone would be interested in doing a comparison of web servers.
Of course, other factors may screw up such a comparison.
I will state, however, that a low vulnerability report for IIS is a good
thing for the Internet, even if it helps the predatory monopoly and its
minions such as Erik Funkenbusch.
Linønut
>> Not really. Linspire, for instance, runs everything as Root. My point is,
>> just because most distro's do that today, doesn't mean they all will
>> forever, especially when faced with less than a growing non-savvy user
>> basy.
Always the pessimist where Linux is concerned, eh, Erik?
Always the optimist where Microsoft is concerned, eh, Erik?
> I will be concerned only when a major, pre-existing distro moves
> towards root-by-default. The fact that Linspire suffers from
> remarkably dumb design is not symptomatic of Linux in general.
>
> Anyway, I'm not sure about Linspire. I thought they had moved away
> from root-by-default. Anyone know about them?
I don't think they do. The FAQ talks about what to do if you forget the
root password. Also how to get the scanner to work as a non-root user.
This is interesting: Seagate drives preloaded with Linux:
http://www.seagate.com/support/kb/disc/faq/lindows.html
Linønut
> On Sat, 07 Jan 2006 10:16:31 +0100, Jesse F. Hughes wrote:
>
>> Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>>
>> I will be concerned only when a major, pre-existing distro moves
>> towards root-by-default. The fact that Linspire suffers from
>> remarkably dumb design is not symptomatic of Linux in general.
>
> I don't see why Linux becoming more popular should result in all distros
> deciding run-as-root is the best way to go.
In Erik's world, if something bad can be done in Linux, it will be done.
If something bad can be done in Windows, it won't be done.
>> Anyway, I'm not sure about Linspire. I thought they had moved away
>> from root-by-default. Anyone know about them?
>
> I recall an interview in LXF magazine which seemed to suggest they were
> still doing it, but that the default state of the distro was to have
> everything properly firewalled and protected.
Hmmm. This picture is quite disturbing, then:
Sorry, on tiny URL for you!
Linønut
> The "Wrong" was in regards to "A majority of the words servers already run
> Linux / BSD's."
Can you
1. Post a link that unequivocally shows this?
2. Explain how that is a net positive for Windows?
>> Second, as far as I know, NT only supported MS networking. If you
>> wanted TCP/IP, you had to buy a 3rd-party package. Same for Novell
>> Client networking, if I recall correctly.
>
> No, NT had TCP/IP from the get go.
Then I'm extremely curious as to why a few on another project had to
purchase a TCP/IP package in order to complete his project.
I do now seem to remember a book about NT networking that also talked
about sockets, around that time. It looks like MS had some info on it;
the links I tried were no longer present, though.
So perhaps the NT TCP/IP stack was buggy?
Linønut
I think Erik needs to provide this apparently missing Wiki item:
http://krysalis.org/cgi-bin/krywiki.pl?action=history&id=WinSock
History of WinSock
Revision 0: View Diff . . January 7, 2006 8:59 am by 68.58.236.xxx
HomePage | RecentChanges | Preferences
Search:
< A BIG VOID >
Linønut
>
> Linųnutlinųn...@bone.com wrote:
>> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>>
>> > Perhaps you'd care to back this up. Please name the IIS worm or hacks for
>> > IIS, since there's only been 2 vulnerabilities affecting IIS in the last 3
>> > years,
>>
>> What are these?
>>
>> http://www.frsirt.com/exploits/product/4549
>
> But if I search for "Apache" instead of "IIS" I get the following
> list. How do you read this?
I read it as Apache having more entries.
What should I be reading it as?
I simply asked about Erik's "2" number when I saw more, and it turns out
Erik was talking only about version 6 of IIS.
> Search Results :
> 06.01.2006 : Mod_auth_pgsql Module for Apache Multiple Format String
> Vulnerabilities
> 06.01.2006 : Redhat Security Update Fixes Apache Cross Site
> Scripting and DoS
> 06.01.2006 : Mandriva Security Update Fixes Apache Cross Site
Typical Microsoft help here, answering questions not asked.
For what it is worth, IIS's record looks pretty good to me.
Now Microsoft needs to distribute the IIS team members to other
Microsoft projects.
Erik Funkenbusch
> Erik Funkenbusch wrote:
>> On Fri, 06 Jan 2006 23:47:39 +0000, Chris H wrote:
>>
>>>Hey Erik, if you think Apache/Linux is such a bad combination why do you
>>>run funkenbusch.com in it?
>>
>> I didn't say it was. Why is it that people like yourself interpret "Apache
>> doesn't run on the majority of the servers" with "Apache sucks". I said
>> the first, not the latter.
>
> I'm not just talking about this current little disagreement over server
> numbers Erik, I'm talking about your general attitude towards open
> source and Linux in particular. You obviously have deep seated issues
> with Linux or you wouldn't be here defending MS at the drop of a hat.
You really should pay more attention. I challeng you to find any
significant number of posts I've made in which I say Linux sucks, or that
it's a poor solution. I don't say that. What I say, is that Linux isn't
the holy grail of computing, and as such isn't anywhere near what many
Linux advocates make it out to be. That's not to say it's "bad", jus that
it's not the perfect panacea claimed.
Why is it so difficult for you to differentiate between "You're
exagerating" and "It sucks"?
> You obviously feel very strongly, and tell us constantly, that Windows
> is superior so why are you running Suse to host your domain? You tell us
> that IIS 6 is secure yet use Apache.
Again, I challeng you to show me where I say Windows is superior. I don't
generally say that. There are a few areas where I do believe it's
superior, but that's not my typical argument, so please stop putting words
in my mouth.
> Is there any other explanation other than you are a hypocrite?
Yes, you are fabricating what you think I'm saying.
Erik Funkenbusch
> Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>
>>On 6 Jan 2006 15:09:43 -0500, Ray Ingles wrote:
>>> But Linux enforces a privilege separation that Windows doesn't. (Not
>>> "can't" - witness Microsoft's frantic efforts to get developers to go
>>> along with LUA - but "doesn't".)
>>
>> Not really. Linspire, for instance, runs everything as Root. My point is,
>> just because most distro's do that today, doesn't mean they all will
>> forever, especially when faced with less than a growing non-savvy user
>> basy.
>
> I will be concerned only when a major, pre-existing distro moves
> towards root-by-default. The fact that Linspire suffers from
> remarkably dumb design is not symptomatic of Linux in general.
However, Linspire is likely to be one of the major distro's used by
"newbies". And, while it may not be symptomatic of Linux in general, it is
evidence that Linux does not enforce non-priviledged use. Certain distro's
may, but it's not something inherant to Linux.
> Anyway, I'm not sure about Linspire. I thought they had moved away
> from root-by-default. Anyone know about them?
Nope, still root by default, and Michael Robertson likes to argue why it's
that way.
Erik Funkenbusch
> After takin' a swig o' grog, Jesse F. Hughes belched out this bit o' wisdom:
>
>>> Not really. Linspire, for instance, runs everything as Root. My point is,
>>> just because most distro's do that today, doesn't mean they all will
>>> forever, especially when faced with less than a growing non-savvy user
>>> basy.
>
> Always the pessimist where Linux is concerned, eh, Erik?
>
> Always the optimist where Microsoft is concerned, eh, Erik?
In here, that's usually true. There's a reason for that, though, since
Linux advocates like to exagerate the quality of Linux, and the crappiness
of Windows.
Erik Funkenbusch
> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
>> The "Wrong" was in regards to "A majority of the words servers already run
>> Linux / BSD's."
>
> Can you
>
> 1. Post a link that unequivocally shows this?
I don't have to prove it, the original poster needs to prove his claim.
The only numbers I have are the Netcraft numbers, which show Windows having
50% of the servers.
> 2. Explain how that is a net positive for Windows?
Always the tap dance.
>>> Second, as far as I know, NT only supported MS networking. If you
>>> wanted TCP/IP, you had to buy a 3rd-party package. Same for Novell
>>> Client networking, if I recall correctly.
>>
>> No, NT had TCP/IP from the get go.
>
> Then I'm extremely curious as to why a few on another project had to
> purchase a TCP/IP package in order to complete his project.
I have no idea. NT 3.1 had TCP/IP.
> I do now seem to remember a book about NT networking that also talked
> about sockets, around that time. It looks like MS had some info on it;
> the links I tried were no longer present, though.
>
> So perhaps the NT TCP/IP stack was buggy?
I'm sure it had bugs. Even Linux's stack has had them.
Erik Funkenbusch
>> But if I search for "Apache" instead of "IIS" I get the following
>> list. How do you read this?
>
> I read it as Apache having more entries.
>
> What should I be reading it as?
>
> I simply asked about Erik's "2" number when I saw more, and it turns out
> Erik was talking only about version 6 of IIS.
I only talk about the most recent versions of anything, be it Windows or
Linux. I don't include Apache 1.3 bugs when I talk about Apache, so
there's no point in including IIS5 or earlier.
Tim Smith
Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
> > But Linux enforces a privilege separation that Windows doesn't. (Not
> > "can't" - witness Microsoft's frantic efforts to get developers to go
> > along with LUA - but "doesn't".)
>
> just because most distro's do that today, doesn't mean they all will
> forever, especially when faced with less than a growing non-savvy user
> basy.
I think that is *extremely* unlikely. If one or more of the major
distributions (Redhat/Fedora, SuSE, etc) decided they needed to deal
with the problems of non-savvy users, I'm sure they'd looked around to
see how others have dealt with this.
In particular, they would certainly take a look at how Apple handles
this in OS X. OS X is a unix, after all, but is great for non-savvy
users, too.
I just don't see a Redhat or SuSE or any other major distro going with
"everything as root" and taking the resulting hit in security, when they
could go with an Apple-like approach and cater to the non-savvy users
without compromising the unixness of their distro.
--
--Tim Smith
Tim Smith
William Poaster <will...@jvyycbnfg.zr.hx> wrote:
> > Anyway, I'm not sure about Linspire. I thought they had moved away from
> > root-by-default. Anyone know about them?
>
> It would seem, from this post on a website (dated December 2005), that
> they still run as root. I have seen Micheal Robertson defending his view
> I note too, from the comments published there & in other linux newsgroups,
> that the majority disagree with Robertson (as do I). I run two distros on
> my machines, SuSE & Mandriva, both of which are also "hardened". I have a
Has anyone seriously considered going even farther in this direction?
On one extreme, there is the Linspire approach:
User is root, so apps run as root.
Then there is the normal approach
User has a non-root account. Apps run as that user.
Why not go farther:
User has a non-root account. Simple commands run by the user run as
that user.
Each major application (browsers, mail programs, office suites)
would have its own user, and run setuid to that user.
So, when you want to browse the web, say, your browser would be running
as "www_user" instead of you, and would not have write permission to
most of your files or directories. You'd have one directory set up in
your home that www_user could write to, so when you download things,
that's where they go. If a web site uses an exploit to take over your
browser, the damage is limited--it can't get to most of your files.
I think (off the top of my head--haven't tried to work out the details)
that with proper use of permissions and ACLs, this could be made
reasonably workable.
(I'm trying to constrain this so that no changes would be required to
apps. If one designed from the start for a scheme like this and so the
apps were actually modified to support it, then it would be easy--you'd
have a daemon that runs as you that launches apps for, giving them an
open socket that they can use to communicate back to the daemon. The
apps would be setuid to www_user, mail_user, etc., and if/when they
needed to do a file operation on your files, they'd ask the daemon, and
it would do it for them, after checking to make sure it is OK).
--
--Tim Smith
Jesse F. Hughes
> Why not go farther:
>
> User has a non-root account. Simple commands run by the user run as
> that user.
>
> Each major application (browsers, mail programs, office suites)
> would have its own user, and run setuid to that user.
>
> So, when you want to browse the web, say, your browser would be running
> as "www_user" instead of you, and would not have write permission to
> most of your files or directories. You'd have one directory set up in
> your home that www_user could write to, so when you download things,
> that's where they go. If a web site uses an exploit to take over your
> browser, the damage is limited--it can't get to most of your files.
Interesting idea, but wouldn't there be some obvious drawbacks?
Suppose I change browsers and want to remove the .netscape (or
whatever) directory. I couldn't execute "rm -rf .netscape" as jesse,
since www_user owns .netscape (or at least the files in it), right?
Or is this where ACLs are useful? I don't know diddly about them.
--
Jesse F. Hughes
"Things are pretty mixed up, but I think the worst is over."
-- A LaTeX error message or a psychic forecast?
Jim Richardson
Hash: SHA1
On Sat, 7 Jan 2006 12:53:36 -0600,
Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
> On Sat, 07 Jan 2006 08:34:12 +0000, Chris H wrote:
>
>> Erik Funkenbusch wrote:
>>> On Fri, 06 Jan 2006 23:47:39 +0000, Chris H wrote:
>>>
>>>>Hey Erik, if you think Apache/Linux is such a bad combination why do you
>>>>run funkenbusch.com in it?
>>>
>>> I didn't say it was. Why is it that people like yourself interpret "Apache
>>> doesn't run on the majority of the servers" with "Apache sucks". I said
>>> the first, not the latter.
>>
>> I'm not just talking about this current little disagreement over server
>> numbers Erik, I'm talking about your general attitude towards open
>> source and Linux in particular. You obviously have deep seated issues
>> with Linux or you wouldn't be here defending MS at the drop of a hat.
>
> You really should pay more attention. I challeng you to find any
> significant number of posts I've made in which I say Linux sucks, or that
> it's a poor solution. I don't say that. What I say, is that Linux isn't
> the holy grail of computing, and as such isn't anywhere near what many
> Linux advocates make it out to be. That's not to say it's "bad", jus that
> it's not the perfect panacea claimed.
>
> Why is it so difficult for you to differentiate between "You're
> exagerating" and "It sucks"?
>
I'm still looking for the "Linux is perfect" posts you claim to see.
>> You obviously feel very strongly, and tell us constantly, that Windows
>> is superior so why are you running Suse to host your domain? You tell us
>> that IIS 6 is secure yet use Apache.
>
> Again, I challeng you to show me where I say Windows is superior. I don't
> generally say that. There are a few areas where I do believe it's
> superior, but that's not my typical argument, so please stop putting words
> in my mouth.
you just make false claims like Linux can't possible be Eal4+ certified.
>
>> Is there any other explanation other than you are a hypocrite?
>
> Yes, you are fabricating what you think I'm saying.
or you, like Rex, say shit that is bullcrap.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwB/6d90bcYOAWPYRAlfHAKCaCSeb7dVrUSFSBrsLpj4a+KpFCgCg0mJi
AZaZtqZdTQ3YfP5vEpugFFE=
=JXLh
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
You are only young once, but you can stay immature indefinitely.
Jim Richardson
Hash: SHA1
What, you feel constrained to exaggerate the quality of MS-Windows, and
the flaws of Linux ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwCDkd90bcYOAWPYRAqqQAKDhZSHO3hYJR/3V5IaH+J8hux7WagCfcYJU
sMzAAQ884K58v5MyTHaBwZ8=
=SSWU
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
I'd explain it all to you, but your brain would explode.
Jim Richardson
Hash: SHA1
The latest version of Apache (2.2.0) has had *one* security flaw, and a
pretty limited one at that. (going by Erik's "how commonly it would be
installed" it's even more minor, it affected mod_imap. ) Oh, the bug is
fixed in 2.2.1.dev.
So from this, we can conclude that apache has half the security flaws of
IIS? Again, using Erikmetrics.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwCKUd90bcYOAWPYRApHnAKDf5M55D2DAyj92Ta4ULtzrCEK6DgCg64E0
lyq66fex3be6iWYTdhvpLWQ=
=P7th
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"Human beings can always be counted on to assert with vigor
their God-given right to be stupid."
-- Dean Koontz
Chris H
> On Sat, 07 Jan 2006 08:34:12 +0000, Chris H wrote:
>>I'm not just talking about this current little disagreement over server
>>numbers Erik, I'm talking about your general attitude towards open
>>source and Linux in particular. You obviously have deep seated issues
>>with Linux or you wouldn't be here defending MS at the drop of a hat.
>
>
> You really should pay more attention. I challeng you to find any
> significant number of posts I've made in which I say Linux sucks, or that
> it's a poor solution. I don't say that.
So now I've got to find a "significant number", good cop out Erik, so if
I find two or three it's still won't be good enough will it?
Also, I never said you did say that, I said you "have deep seated issues
with Linux or you wouldn't be here defending MS at the drop of a hat.",
why do you feel the need to come here by the way?
What I say, is that Linux isn't
> the holy grail of computing, and as such isn't anywhere near what many
> Linux advocates make it out to be. That's not to say it's "bad", jus that
> it's not the perfect panacea claimed.
>
> Why is it so difficult for you to differentiate between "You're
> exagerating" and "It sucks"?
Probably because I've never seen you say one good thing about Linux,
you're a bit like a person that constantly goes on about ethnic
minorities then complains when someone call you a racist.
>>You obviously feel very strongly, and tell us constantly, that Windows
>>is superior so why are you running Suse to host your domain? You tell us
>>that IIS 6 is secure yet use Apache.
>
>
> Again, I challeng you to show me where I say Windows is superior. I don't
> generally say that. There are a few areas where I do believe it's
> superior, but that's not my typical argument, so please stop putting words
> in my mouth.
So, there must be a few areas where you think that it's inferior as
well? Why do you never talk about them?
>>Is there any other explanation other than you are a hypocrite?
>
>
> Yes, you are fabricating what you think I'm saying.
Actually there is another explanation that I didn't spot until later on,
it isn't your SuSE server at all is it? It belongs to your employer
Seahorse Software and you just have the website and get your mail
delivered there.
BTW, you need to set up rDNS on that host.
--
C.
Chris H
> On 6 Jan 2006 15:32:24 -0500, Ray Ingles wrote:
>
>
>>>This assumes many things. First, it assumes that as more users use Linux,
>>>that more "user friendly" software won't be developed that will override
>>>the hoops users have to jump through to execute attachments. In fact, it's
>>>highly likely that as a system gains more and more "laypeople", that
>>>software will be written to their level.
>>
>> Ubuntu shows an excellent model for this, with its sudo-based
>>administration. The user doesn't need to 'switch users' or anything to
>>do administration, but there is a very clear separation between normal
>>operation and system administration nonetheless.
>
>
> That model has the disadvantage that it trains users to simply type in
> their password everytime someone asks for it. This will lead to spoofing
> compromises in the future. It also gets annoying. OSX uses a similar
> model, and recently I upgraded Adobe Creative Suite 2, and literally had to
> type my password 15 times every 2 minutes. Talk about annoying.
>
>
>> Plus Linux (and developers for it) enforce a separation between data
>>and executables.
>
>
> You're still ignoring that this is largely a policy, and can be overridden
> easily. For example, suppose there's a buffer overflow in your web browser
> or email application that allows execution of arbitrary code. You don't
> need to set any bits on the data, and you could execute a command that, for
> instance, changes the users umode to set everything executable by default.
Do you mean umask here? I still don't see how that would compromise
what's in /usr/bin or /etc.
> These 'barriers' are not barriers for long.
So you say, but surely this is still better than the way Windows does it
with *no* barriers at all? Bet you can't admit it Erik.
>> I'm not too worried on that score. No, it's not impossible to infect a
>>Linux box, but it's noticeably harder, and the diversity of
>>distributions adds another layer of defense. An exploit that works on
>>one won't work on another, or else needs to be polymorphic, a much
>>harder job to write.
>
>
> That's something virus writers are already doing on Windows, for example
> the RPC vulnerabilities required different code depending on what OS they
> ran on.
--
C.
Jim Richardson
Hash: SHA1
On Sat, 07 Jan 2006 21:32:33 +0100,
Jesse F. Hughes <je...@phiwumbda.org> wrote:
> Tim Smith <reply_i...@mouse-potato.com> writes:
>
>> Why not go farther:
>>
>> User has a non-root account. Simple commands run by the user run as
>> that user.
>>
>> Each major application (browsers, mail programs, office suites)
>> would have its own user, and run setuid to that user.
>>
>> So, when you want to browse the web, say, your browser would be running
>> as "www_user" instead of you, and would not have write permission to
>> most of your files or directories. You'd have one directory set up in
>> your home that www_user could write to, so when you download things,
>> that's where they go. If a web site uses an exploit to take over your
>> browser, the damage is limited--it can't get to most of your files.
>
> Interesting idea, but wouldn't there be some obvious drawbacks?
> Suppose I change browsers and want to remove the .netscape (or
> whatever) directory. I couldn't execute "rm -rf .netscape" as jesse,
> since www_user owns .netscape (or at least the files in it), right?
>
> Or is this where ACLs are useful? I don't know diddly about them.
>
You have write permissions to ~/, even root owned files there, with no
write permissions for you, can be deleted by your account. Try it,
create a file (as root) with no write perms for your account, then
delete it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwF6Fd90bcYOAWPYRAggdAKDkO707iy5h+4f/F8W1sjRjtn2sHACdE4AP
TuSymPpnNd3IdtdgLphRui0=
=Kjhd
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"We are either doing something, or we are not. 'Talking about' is a
subset of 'not'."
Kelsey Bjarnason
Erik Funkenbusch wrote:
> This assumes many things. First, it assumes that as more users use Linux,
> that more "user friendly" software won't be developed that will override
> the hoops users have to jump through to execute attachments.
Umm... contrary to the views often provided here, Linux *is* easy to use and
user friendly. However, consider for a moment the whole concept of
executing an attachment. Why would you ever do this in the first place?
Ponder that a moment. "Here's a file, from an unknown source, with unknown
contents - so I should run it so it can do maximal possible damage." Is
this smart? No.
A legitimate executable will, of course, come from a trusted repository, or
the vendor's site. A vanishingly small number will come from friends or
associates who are developers, sending you something to test. Pretty much
anything else should be treated with extreme suspicion.
Case in point, it's been a hell of a long time since anyone even tried to
send me an executable; the last one I can recall offhand was some stupid
"elf bowling" game - which turns out to have been loaded with malware.
Net result, attachments should not, ever, need to be executed. If they do,
red flags should be flying, bells going off, and "Danger, Will Robinson"
should be echoing through the air.
Frankly, the only attachments you should be getting - or trusting - are
documents. Archives, word processor documents, videos, sound bites,
images, that sort of thing. Not executables.
I'm sure someone, somewhere, will indeed write *nix software which mimics
the idiocies of some of the Windows apps out there. I'm equally sure it
will be stomped on by the archive maintainers, if nobody else, since it
would, by design, be a gaping, screaming and effectively unfixable security
hole - and who wants than in a repository of software whose goal is to
provide *good* software?
Kelsey Bjarnason
Erik Funkenbusch wrote:
> That model has the disadvantage that it trains users to simply type in
> their password everytime someone asks for it.
The only time you're asked for it is if you're doing _system-level_
maintenance. Which, right there, should be a clue that if someone is
asking you for it, something is wrong.
> This will lead to spoofing
> compromises in the future. It also gets annoying. OSX uses a similar
> model, and recently I upgraded Adobe Creative Suite 2, and literally had
> to
> type my password 15 times every 2 minutes. Talk about annoying.
Then you, or they, are doing something wrong. I did a reinstall, from
formatting on up, on this box today. I've had about 15 prompts for my
password in all of that. In normal operation, I *never* see it, since it
means I'm not _using_ the machine, I'm trying to _administer_ it - which
apart from installing software, setting up a printer or the like, I just
don't do on a daily basis.
> You're still ignoring that this is largely a policy, and can be overridden
> easily.
It's a policy which applies at essentially every level of the code
executing.
> For example, suppose there's a buffer overflow in your web
> browser
> or email application that allows execution of arbitrary code.
Then the code gets executed... and now has to deal with the underlying
mechanisms for defending the system.
Erik Funkenbusch
>> I only talk about the most recent versions of anything, be it Windows or
>> Linux. I don't include Apache 1.3 bugs when I talk about Apache, so
>> there's no point in including IIS5 or earlier.
>
> The latest version of Apache (2.2.0) has had *one* security flaw, and a
> pretty limited one at that. (going by Erik's "how commonly it would be
> installed" it's even more minor, it affected mod_imap. ) Oh, the bug is
> fixed in 2.2.1.dev.
Apache 2.2 hasn't been around long enough to gain any meaningful sample.
In the time since 2.2.0 was released, IIS has had *0* flaws.
> So from this, we can conclude that apache has half the security flaws of
> IIS? Again, using Erikmetrics.
You might want to recalculate that.
Erik Funkenbusch
> Erik Funkenbusch wrote:
>
>> This assumes many things. First, it assumes that as more users use Linux,
>> that more "user friendly" software won't be developed that will override
>> the hoops users have to jump through to execute attachments.
>
> Umm... contrary to the views often provided here, Linux *is* easy to use and
> user friendly. However, consider for a moment the whole concept of
> executing an attachment. Why would you ever do this in the first place?
The very fact that it happens so often should tell you that users WANT to
do this.
> Ponder that a moment. "Here's a file, from an unknown source, with unknown
> contents - so I should run it so it can do maximal possible damage." Is
> this smart? No.
Actually, no. It seldom is from an "unknown" source. It comes from a
friend, or relative in many cases. You trust them, right? Even better, it
contains some scintilating hints about what it might contain, such as Paris
Hilton pictures, or an 'amazing' screen saver. Curiosity, as they say,
killed the cat.
> A legitimate executable will, of course, come from a trusted repository, or
> the vendor's site. A vanishingly small number will come from friends or
> associates who are developers, sending you something to test. Pretty much
> anything else should be treated with extreme suspicion.
Not to end users. A good example is the amazing popularity of "e-vites" or
"e-greeting cards". These get forwarded around like crazy. Users WANT to
send this stuff to their friends, and their friends want to get it.
> Case in point, it's been a hell of a long time since anyone even tried to
> send me an executable; the last one I can recall offhand was some stupid
> "elf bowling" game - which turns out to have been loaded with malware.
Indeed. But users really don't understand all that. All they know is
their stupid software won't let them play the game, or view the
screensaver, or see the pictures. Now, along comes a company that provides
them an email program that WILL (oh, such as IncrediMail, which embeds all
kind of cutesy bullshit in emails that people love).
The fact that you've conditioned your friends and family not to send this
stuff to you (probably because you've yelled at them one too many times)
doesn't mean nobody else wants it, just because you aren't getting it
anymore.
> Net result, attachments should not, ever, need to be executed. If they do,
> red flags should be flying, bells going off, and "Danger, Will Robinson"
> should be echoing through the air.
But they aren't, and they don't. Users just don't care.
> Frankly, the only attachments you should be getting - or trusting - are
> documents. Archives, word processor documents, videos, sound bites,
> images, that sort of thing. Not executables.
Fine line, really. a script is just a text file, but passed to an
interpreter (viewer) it can become dangerous. There have been flaws in
various Unix/Linux based image rendering libraries that allow arbitrary
code execution as well, so specially crafted images could be used to attack
any vulnerable system as well.
However, be that as it may, users will *STILL* want to send executables.
> I'm sure someone, somewhere, will indeed write *nix software which mimics
> the idiocies of some of the Windows apps out there. I'm equally sure it
> will be stomped on by the archive maintainers, if nobody else, since it
> would, by design, be a gaping, screaming and effectively unfixable security
> hole - and who wants than in a repository of software whose goal is to
> provide *good* software?
As soon as a commercial Linux vendor, such as Linspire, or Xandros figures
out they can sell more copies by including those "screaming and effectively
unfixable security holes", guess what they'll be shipping.
The flaw in your argument is that you assume all linux vendors will
sacrifice sales for security. Don't be so naive.
Erik Funkenbusch
>> You really should pay more attention. I challeng you to find any
>> significant number of posts I've made in which I say Linux sucks, or that
>> it's a poor solution. I don't say that.
>
> So now I've got to find a "significant number", good cop out Erik, so if
> I find two or three it's still won't be good enough will it?
The point is, identifying a few weaknesses is not the same as saying the
whole system is bad. Sure, you can find a few isolated areas where I
criticize Linux, but not overall.
> Also, I never said you did say that, I said you "have deep seated issues
> with Linux or you wouldn't be here defending MS at the drop of a hat.",
> why do you feel the need to come here by the way?
Yes, you did say that. I quote:
"if you think Apache/Linux is such a bad combination"
If you're not trying to say that I'm saying it's a bad combination, why did
you write that?
> What I say, is that Linux isn't
>> the holy grail of computing, and as such isn't anywhere near what many
>> Linux advocates make it out to be. That's not to say it's "bad", jus that
>> it's not the perfect panacea claimed.
>>
>> Why is it so difficult for you to differentiate between "You're
>> exagerating" and "It sucks"?
>
> Probably because I've never seen you say one good thing about Linux,
> you're a bit like a person that constantly goes on about ethnic
> minorities then complains when someone call you a racist.
Nor have you seen me say anything truly "bad" about linux either. Please
pay closer attention to what I write.
>>>You obviously feel very strongly, and tell us constantly, that Windows
>>>is superior so why are you running Suse to host your domain? You tell us
>>>that IIS 6 is secure yet use Apache.
>>
>> Again, I challeng you to show me where I say Windows is superior. I don't
>> generally say that. There are a few areas where I do believe it's
>> superior, but that's not my typical argument, so please stop putting words
>> in my mouth.
>
> So, there must be a few areas where you think that it's inferior as
> well? Why do you never talk about them?
I have.
>>>Is there any other explanation other than you are a hypocrite?
>>
>> Yes, you are fabricating what you think I'm saying.
>
> Actually there is another explanation that I didn't spot until later on,
> it isn't your SuSE server at all is it? It belongs to your employer
> Seahorse Software and you just have the website and get your mail
> delivered there.
>
> BTW, you need to set up rDNS on that host.
Actually, I own the server and am hosting that site. I have historically
run funkenbusch.com on FreeBSD for years with Apache, but had a hardware
failure on the old server and moved it to a Linux box until I rebuild the
FreeBSD box.
As for rDNS, no-can-do, I don't own the netblock, my ISP does and won't
configure reverse dns for it.
Sinister Midget
> On Sun, 08 Jan 2006 02:15:04 GMT, Kelsey Bjarnason wrote:
>> Umm... contrary to the views often provided here, Linux *is* easy to use and
>> user friendly. However, consider for a moment the whole concept of
>> executing an attachment. Why would you ever do this in the first place?
>
> The very fact that it happens so often should tell you that users WANT to
> do this.
HA HA HA HA HA!
Well, that explains why there's in excess of 100,000 little nasties.
--
I'm using linux daily to up my productivity. So, up yours,
Microsoft.
Jesse F. Hughes
> You have write permissions to ~/, even root owned files there, with no
> write permissions for you, can be deleted by your account. Try it,
> create a file (as root) with no write perms for your account, then
> delete it.
Well, I'll be hornswaggled.
I never even thought to try that.
--
"It was over ten years ago that I was a lieutenant in the U.S. Army
and one day for some reason I thought to myself that I should be able
to figure out something brilliant. [...] Like, why can't I figure out
some math thing?" -- James S. Harris on inspirational moments.
Jim Richardson
Hash: SHA1
On Sun, 8 Jan 2006 01:28:52 -0600,
Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
> On Sun, 08 Jan 2006 02:15:04 GMT, Kelsey Bjarnason wrote:
>
>> Erik Funkenbusch wrote:
>>
>>> This assumes many things. First, it assumes that as more users use Linux,
>>> that more "user friendly" software won't be developed that will override
>>> the hoops users have to jump through to execute attachments.
>>
>> Umm... contrary to the views often provided here, Linux *is* easy to use and
>> user friendly. However, consider for a moment the whole concept of
>> executing an attachment. Why would you ever do this in the first place?
>
> The very fact that it happens so often should tell you that users WANT to
> do this.
>
so receiving spam, which happens so often, is because users *want* to
receive spam?
Or perhaps we should assume that because people get mugged "so often"
it's because they want to be relieved of their on hand cash?
>> Ponder that a moment. "Here's a file, from an unknown source, with unknown
>> contents - so I should run it so it can do maximal possible damage." Is
>> this smart? No.
>
> Actually, no. It seldom is from an "unknown" source. It comes from a
> friend, or relative in many cases. You trust them, right? Even better, it
> contains some scintilating hints about what it might contain, such as Paris
> Hilton pictures, or an 'amazing' screen saver. Curiosity, as they say,
> killed the cat.
and the "paris hilton pictures" aren't *supposed* to be an executable,
so executing them, isn't what the user wanted. The screen saver should
be data, not an executable so again, executing them, is not what the
user wanted.
However, on a system which conflates open and execute (that would be
MS-Windows) the user doesn't get what they wanted, they get rooted
instead.
How nice...
>
>> A legitimate executable will, of course, come from a trusted repository, or
>> the vendor's site. A vanishingly small number will come from friends or
>> associates who are developers, sending you something to test. Pretty much
>> anything else should be treated with extreme suspicion.
>
> Not to end users. A good example is the amazing popularity of "e-vites" or
> "e-greeting cards". These get forwarded around like crazy. Users WANT to
> send this stuff to their friends, and their friends want to get it.
>
and these items should be executed? or should they instead, be
*displayed*? which is what the user wanted to do.
>> Case in point, it's been a hell of a long time since anyone even tried to
>> send me an executable; the last one I can recall offhand was some stupid
>> "elf bowling" game - which turns out to have been loaded with malware.
>
> Indeed. But users really don't understand all that. All they know is
> their stupid software won't let them play the game, or view the
> screensaver, or see the pictures. Now, along comes a company that provides
> them an email program that WILL (oh, such as IncrediMail, which embeds all
> kind of cutesy bullshit in emails that people love).
>
> The fact that you've conditioned your friends and family not to send this
> stuff to you (probably because you've yelled at them one too many times)
> doesn't mean nobody else wants it, just because you aren't getting it
> anymore.
>
you continue to pretend that blocking execution, somehow prevents you
from displaying images...
>> Net result, attachments should not, ever, need to be executed. If they do,
>> red flags should be flying, bells going off, and "Danger, Will Robinson"
>> should be echoing through the air.
>
> But they aren't, and they don't. Users just don't care.
>
>> Frankly, the only attachments you should be getting - or trusting - are
>> documents. Archives, word processor documents, videos, sound bites,
>> images, that sort of thing. Not executables.
>
> Fine line, really. a script is just a text file, but passed to an
> interpreter (viewer) it can become dangerous. There have been flaws in
> various Unix/Linux based image rendering libraries that allow arbitrary
> code execution as well, so specially crafted images could be used to attack
> any vulnerable system as well.
>
yes, and they are *flaws*. Whereas the same action in OE et al, is by
*design*
> However, be that as it may, users will *STILL* want to send executables.
>
like what?
>> I'm sure someone, somewhere, will indeed write *nix software which mimics
>> the idiocies of some of the Windows apps out there. I'm equally sure it
>> will be stomped on by the archive maintainers, if nobody else, since it
>> would, by design, be a gaping, screaming and effectively unfixable security
>> hole - and who wants than in a repository of software whose goal is to
>> provide *good* software?
>
> As soon as a commercial Linux vendor, such as Linspire, or Xandros figures
> out they can sell more copies by including those "screaming and effectively
> unfixable security holes", guess what they'll be shipping.
>
> The flaw in your argument is that you assume all linux vendors will
> sacrifice sales for security. Don't be so naive.
so MS is sacrificing security for sales? thanks for the confirmation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwONid90bcYOAWPYRAmcZAKDkLNa4QOf3Fic/vIxm9zLtFUjX+QCg43O+
pbQssifTRNveHoQBfZMoAO8=
=k7tB
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"I think you should defend to the death their right to march,
and then go down and meet them with baseball bats."
-- Woody Allen, on the KKK
Jim Richardson
Hash: SHA1
Now all of a sudden, you want to talk about age, rather than latest
released version? Nah, you don't get to move the goalposts *again*.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwOHQd90bcYOAWPYRApJXAKCD1BwvGi+I5xLTRGxlsGKTohDVAgCgsPDV
aHwH7+LAidZq27/L/tF8sYA=
=Md/w
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Step by step, day by day, machine by machine, the penguins march forward.
Jim Richardson
Hash: SHA1
On Sun, 08 Jan 2006 10:18:35 +0100,
Jesse F. Hughes <je...@phiwumbda.org> wrote:
> Jim Richardson <war...@eskimo.com> writes:
>
>> You have write permissions to ~/, even root owned files there, with no
>> write permissions for you, can be deleted by your account. Try it,
>> create a file (as root) with no write perms for your account, then
>> delete it.
>
> Well, I'll be hornswaggled.
>
> I never even thought to try that.
>
yeah, you can't *write* to it, (without write perms) but to delete a
file, (absent sticky bit, which is another issue) all you need are write
perms on the dir it's in.
Tim's idea would probably work, with little or no mods to the apps, just
to the setup for them. Also, I suspect you could suid them to the
utility user account, although this might get somewhat convoluted on a
multi user machine. I suspect that a person would be better off looking
into SELinux or the like however. I think it would be less work overall.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwOdYd90bcYOAWPYRApKJAKC7ti5hw56vNUDeD5IMelDWLdrlQACguKFi
2qY6YBQVDOWD7aoKg8Zz77g=
=atle
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
My friends tell me that I refuse to grow up, but I know they're just
jealous because they don't have pajamas with feet.
Kelsey Bjarnason
Erik Funkenbusch wrote:
>> user friendly. However, consider for a moment the whole concept of
>> executing an attachment. Why would you ever do this in the first place?
>
> The very fact that it happens so often should tell you that users WANT to
> do this.
I was going to respond to this point by point, but realized it was overkill.
The simple fact is that users are *not* trying to send executables around,
they're trying, on the whole, to send "cute little things I found" around.
Greeting cards. Elf bowling games. Whatever.
With a properly-managed software distribution mechanism - something other
than the chaos and madness which is the Windows method - doing this becomes
relatively trivial, as it can be done with tools such as flash, which in
turn is trivially installed even by a reasonably non-technical user.
This lets legitimate providers of elf bowling games, greeting cards and the
like distribute their legitimate content in a reasonably safe manner, while
limiting the damages done by unknown and untrusted executable attachments.
Frankly, it all comes down to culture. The Windows culture instills this
weird notion that software can come from anywhere, so what the hell, might
as well run it. The Linux culture, by contrast, instills an attitude that
if it ain't coming from the right place, it should be regarded with extreme
suspicion - to the point that the OS *will not*, by default, execute it at
all unless you explicitly mark the thing as executable, locally and
manually.
Since the same desired goal can be achieved by either method, and since one
retains the safety of the system, what benefit is there in doing it the
other way? Right - none whatsoever. It's only because Windows users are
used to getting software from anywhere and everywhere that such a thing is
even conceivable in the first place.
Tim Smith
> Suppose I change browsers and want to remove the .netscape (or
> whatever) directory. I couldn't execute "rm -rf .netscape" as jesse,
> since www_user owns .netscape (or at least the files in it), right?
>
> Or is this where ACLs are useful? I don't know diddly about them.
Basically, ACLs are like extra users and/or groups in the file
permissions. Instead of a file or directory just having
owner/group/other permissions, it can have permissions for a list of
named users and named groups, too. A directory can also have a default
ACL, which is used to make an ACL for files and directories created in
that directory.
(It gets more complicated because they had to jump through some weird
hoops to make this compatible with applications that don't know anything
about ACLs. You don't want ACLs to break or get lost if someone happens
to use an editor or tool that doesn't know about them. So, this is a
simplification, but accurate enough for this discussion).
So, you could have a directory, owned by you, with an ACL that lets
www_user create and delete things in that directory, and that gives
things created in there an ACL that gives you and www_user
read/write/execute permission. Let's call this your "browser directory".
You'd want this directory to be under a directory that is 700, so that
browsers running for other users could not get into your browser
directory. (You'd have a wrapper to launch the browser that would go
into your browser directory before launching the setuid browser).
If there aren't a lot of users, you could also perhaps do something like
this without ACLs. Suppose you have two users, foo and bar. For
browsing, make two groups, foo_www and bar_www, and make two setgid
wrappers, one for each user. The wrapper for foo is setgid foo_www and
launches the browser. Similarly for bar.
Now foo's browser directory simply has to be in group foo_www and have
the bit set that makes files created in it be in group foo_www, and the
umask has to be set so that the files can be group r/w/x.
This only works for a small number of users, because for each
application that you want to isolate this way, you need N groups, where
N is the number of users. The ACL solution simply requires one user per
application. (Or one group...you could do the ACL solution with groups
instead of users).
Another approach to isolating applications would be to use chroot. The
main problem with chroot is that it is a pain to set up when an
application uses a lot of libraries and other programs, and also can
take up a lot of space.
(It would be nice if there were a partial chroot. It would be similar
to the existing chroot, except that you would be able to mark a symbolic
link as being relative to the real root instead of the chroot'ed root.
This way, you could make a chroot'ed environment without having to copy
in a zillion libraries and programs. Instead, you could symlink to
/lib, /usr/lib, /bin, etc.. A program that is chroot'ed would, of
course, not be allowed to mark symbolic links this way).
(Speaking of things that would be nice, another thing that would be nice
would be for ACLs to allow you to specify both the effective and the
real user and group. That is, instead of an ACL entry for www_user, it
would be nice to be able to have one for foo.www_user, which would mean
it applies to foo running a setuid www_user program. Then there would
be no need to hide the browser directory under a 700 directory).
--
--Tim Smith
Linønut
I assure you, Erik, I myself do not exaggerate the weird goings on of
the Windows systems I've encountered.
Every week or so, they pull some trick so egregious that I am left
dumbfounded.
--
I love the smell of code compiling in the morning. It smells like... Freedom.
Linønut
> On Sat, 07 Jan 2006 10:59:23 -0600, Linųnut wrote:
>
>> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>>
>>> The "Wrong" was in regards to "A majority of the words servers already run
>>> Linux / BSD's."
>>
>> Can you
>>
>> 1. Post a link that unequivocally shows this?
>
> I don't have to prove it, the original poster needs to prove his claim.
> The only numbers I have are the Netcraft numbers, which show Windows having
> 50% of the servers.
You talking about that frickin' 5-year-old report?
>> 2. Explain how that is a net positive for Windows?
>
> Always the tap dance.
Bullshit. You're the one doing the tap dance, Bo Jangles.
>> I do now seem to remember a book about NT networking that also talked
>> about sockets, around that time. It looks like MS had some info on it;
>> the links I tried were no longer present, though.
>>
>> So perhaps the NT TCP/IP stack was buggy?
>
> I'm sure it had bugs. Even Linux's stack has had them.
For "buggy", read "egregiously buggy".
Linønut
>> Apache 2.2 hasn't been around long enough to gain any meaningful sample.
>> In the time since 2.2.0 was released, IIS has had *0* flaws.
>>
>>> So from this, we can conclude that apache has half the security flaws of
>>> IIS? Again, using Erikmetrics.
>>
>> You might want to recalculate that.
>
> Now all of a sudden, you want to talk about age, rather than latest
> released version? Nah, you don't get to move the goalposts *again*.
Tippity-tap.
Linønut
> On Sat, 07 Jan 2006 10:16:31 +0100, Jesse F. Hughes wrote:
>
>> Anyway, I'm not sure about Linspire. I thought they had moved away
>> from root-by-default. Anyone know about them?
>
> Nope, still root by default, and Michael Robertson likes to argue why it's
> that way.
Prove it, Houdini. And not with a three-year-old link.
Robert Newson
> On Sat, 07 Jan 2006 10:16:31 +0100, Jesse F. Hughes wrote:
>
>
>>Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>>
>>
>>>On 6 Jan 2006 15:09:43 -0500, Ray Ingles wrote:
>>>
>>>> But Linux enforces a privilege separation that Windows doesn't. (Not
>>>>"can't" - witness Microsoft's frantic efforts to get developers to go
>>>>along with LUA - but "doesn't".)
>>>>
>>>Not really. Linspire, for instance, runs everything as Root. My point is,
>>>just because most distro's do that today, doesn't mean they all will
>>>forever, especially when faced with less than a growing non-savvy user
>>>basy.
>>>
>>I will be concerned only when a major, pre-existing distro moves
>>towards root-by-default. The fact that Linspire suffers from
>>remarkably dumb design is not symptomatic of Linux in general.
>
> I don't see why Linux becoming more popular should result in all distros
> deciding run-as-root is the best way to go.
Because the "average" user would then be of the opinion that they are the
only user of the system and having to run a separater admin account to
install stuff is such a hassle not to be worth it, espcially as the toy
they're used to using didn't have this distinction.
Robert Newson
...
> It's only because Windows users are
> used to getting software from anywhere and everywhere that such a thing is
> even conceivable in the first place.
Interesting....that seems to imply piracy; however, thinking back to the
good ol' DOS days, sharing apps via sneakerNET (aka floppies) was fraught
with the danger of a virus also being transferred (eg boot sector). More
interesting is how MS did *NOT* learn from this auto-exec ability of
floppies to spread viruses *NOT* to include it (by default) with CDs where a
ROOTKIT could be installed by an *AUDIO* CD without permission - contrary to
section 3.(1) (with intent described in Section 3.(2)) of the Computer
Misuse Act 1990.
Robert Newson
> [snips]
>
> Erik Funkenbusch wrote:
>
>>This assumes many things. First, it assumes that as more users use Linux,
>>that more "user friendly" software won't be developed that will override
>>the hoops users have to jump through to execute attachments.
>
> Umm... contrary to the views often provided here, Linux *is* easy to use and
> user friendly. However, consider for a moment the whole concept of
> executing an attachment. Why would you ever do this in the first place?
>
> Ponder that a moment. "Here's a file, from an unknown source, with unknown
> contents - so I should run it so it can do maximal possible damage." Is
> this smart? No.
This reminds me of something that DID happen when I was at Uni many years
ago. A friend put a [binary] file[1] called "run.me" in the Unix directory
of another friend and made it executable. The second friend, needless to
say, ran it.
[1] it was the compilation of the [rough] program:
main() { while(1) fork();}
it was interesting to hear how he managed to kill it (and its children)
when he ran out of permitted processes for his uid.
^_^
Kier
> Kier wrote:
>> I don't see why Linux becoming more popular should result in all distros
>> deciding run-as-root is the best way to go.
>
> Because the "average" user would then be of the opinion that they are the
> only user of the system and having to run a separater admin account to
> install stuff is such a hassle not to be worth it, espcially as the toy
> they're used to using didn't have this distinction.
That's the common conception. But perhaps if users are treated like
intelligent beings, they'll begin to act like them.
--
Kier
Jim Richardson
Hash: SHA1
the second friend's home dir was world writable?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwXrBd90bcYOAWPYRAqhRAJ0Vm142bl2qrDJOSOWGDSg+k+qZyQCffi2d
2E5ux4PpjpvxAeB6rpGMqFA=
=zpfI
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
The New York Times, the paper that asks for more verification from it's
readers, than it's writers.
Jim Richardson
Hash: SHA1
That's one reason why Ubuntu's use of sudo works so well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDwXp9d90bcYOAWPYRAgf/AKDXmfXHkP+WkWblEfQFkXNpseloBACaA15r
vP2k4lz6JbKTZlGsNsRaqko=
=h7S6
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
"There ain't many things a man can't fix
with $700 dollars and a thirty-aught-six"
--Attributed to Jeff Cooper.
Bob Hauck
<Reap...@bullet3.fsnet.oc.ku> wrote:
> Kier wrote:
>> I don't see why Linux becoming more popular should result in all
>> distros deciding run-as-root is the best way to go.
>
> Because the "average" user would then be of the opinion that they are
> the only user of the system and having to run a separater admin
> account to install stuff is such a hassle not to be worth it,
> espcially as the toy they're used to using didn't have this
> distinction.
And yet, somehow, Mac users have not decided they all must run as root,
despite previous versions of the MacOS being single-user in the mold of
Windows 95.
I think the answer is that most of the users will run the system however
it comes out of the box. If they have to type a password to install
software, they'll learn to do that. They won't make a big deal out of
it one way or the other, but one way limits the spread of malware and
the other doesn't.
--
-| Bob Hauck
-| A proud member of the reality-based community.
-| http://www.haucks.org/
chrisv
>On Sat, 07 Jan 2006 10:38:56 -0600, Linønut wrote:
>>
>> Always the pessimist where Linux is concerned, eh, Erik?
>>
>> Always the optimist where Microsoft is concerned, eh, Erik?
>
>In here, that's usually true. There's a reason for that, though, since
>Linux advocates like to exagerate the quality of Linux, and the crappiness
>of Windows.
And in a Linux advocacy group! Shocking.
chrisv
>chrisv <chr...@nospam.invalid> writes:
>>
>>Proven liar billwg wrote:
>>>
>>> Unix and linux are poor performers in the home for the average person.
>>
>> Stupid lying troll. In what way does Linux "perform poorly"? The ONLY
>> thing Linux lacks is the wide array of shrink-wrapped software that
>> Windwoes has.
>
>Not true. It also lacks a need for it.
Depends what your particular needs are... With high-speed Internet,
the selection of store-bought software is much less important than it
used to be. However, it's still a disadvantage compared to Windows.
Indeed, it's THE disadvantage compared to Windows, IMO.
Ray Ingles
> When you get to the more important stuff, where people are willing to
> pay more for some better results, there is a much higher incidence of
> IIS use. Those are the sites that people try to hack the most as well.
Funny, see the "Largest Sites Opt For Linux" thread in this very
newsgroup. Doesn't really match your assertions. Of the top ten, only
*two* are using IIS. And one of them isn't even using it as a pure play.
> But the discussion was about the desktop and viruses. These do not
> involve web servers.
Apache was brought up as positive proof that the lack of viruses and
malware on open-source platforms, and conversely their prevalence on
Microsoft platforms, is *not* due to popularity. Even in areas where
Microsoft does not have a commanding lead, it is overrepresented in
actual exploits.
--
Sincerely,
Ray Ingles (313) 227-2317
"I like the flag plenty, but I never forget it's only a
symbol, a reminder of what we stand for, not a replacement
for actually standing for it."
- Bill Maher, "When You Ride Alone You Ride With bin Laden"
Ray Ingles
>> Actually, IIS 6 *is* an improvement, though not universally deployed by
>> a long shot (still a lot of Code Red traffic out there). IIS sites still
>> get hacked, though, through other holes like these (SANS's #1
>> vulnerability of the year):
>>
>> http://www.sans.org/top20/#w1
>
> Right, but that's a far cry from your original claim.
No, I said "most of the hacks and worms target IIS, not Apache". That
is unequivocally true.
>> Do you have any actual evidence the numbers of Apache servers vs. IIS
>> servers are dramatically closer?
>> http://survey.netcraft.com/index-200106.html. While this only shows OS,
>
> The most recent numbers are from 2001, but the ratio of sites on IIS to
> non-IIS has stayed roughly the same.
I'd be wary of extrapolating from five-year-old data. Still, it appears
you have actually come up with some evidence in favor of your position.
Congratulations.
>> But Linux enforces a privilege separation that Windows doesn't. (Not
>> "can't" - witness Microsoft's frantic efforts to get developers to go
>> along with LUA - but "doesn't".)
>
> Not really. Linspire, for instance, runs everything as Root.
And has been roundly criticized for doing so. It's also *far* from the
most popular distribution by a long shot.
> My point is,
> just because most distro's do that today, doesn't mean they all will
> forever, especially when faced with less than a growing non-savvy user
> basy.
I would be *stunned* if the Linspire model took hold instead of, say,
the Ubuntu model.
--
Sincerely,
Ray Ingles (313) 227-2317
The plural of 'anecdote' is not 'data'. - Anonymous