vulnerability of Linux
John Summerfied
debian at herakles.homelinux.org
Wed Nov 30 02:36:11 UTC 2005
Steffen Kluge wrote:
> On Tue, 2005-11-29 at 14:13 +0800, John Summerfied wrote:
>
>>If there's a kernel update fixing a security problem only exploitable
>>with local access, and I control the only account with local access,
>>then I don't need it.
>
>
> Are you sure? If there's a bug in httpd that allows an attacker to run
> code as user apache, then the kernel bug may become quite useful to get
> root.
I had some difficulty accessing material outside of /var/www as user
Apache, on WBEL. Try it.
>
> Why run with a known vulnerability, just because one isn't smart enough
> to think of an attack vector? Defense in depth...
Because the risk of breaking things, especially with Fedora, is greater.
I have seen two successful attacks against Linux systems in the time
since I deployed my first Linux server, running RHL 4.0.
Both were on account of weak passwords.
OTOH I cannot count the number of broken systems I've seen when upgrades
failed, when upgrades succeeded but their content was broken, when
hardware failed.
There was one near miss, where I applied an SSL upgrade a week before
somone tested me for its lack.
So there you are, no penetrations at all on account of software
vulnerabilities in umpteen years.
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the users
mailing list