[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Antivirus? (and firewalls)

> >For now we have no virusses on Linux but setuid programs could be used
> >for spreading them.  Of course it is far easier to keep track of a few
> >setuid programs as of every program like it happens in Linux.  However
> >sooner or later measures will have to be taken for ensuring root
> >doesn't run unsecure software.
>    One of the best ways is to insure that everything can be easily done as a
> user with su.  If there is no reason to log in as root, people will log in
> as eLiTe hAkOr instead. :-)

Running through "su" is no protection at all.  In addition RedHat
makes you run it using exactly the same path as when you were noral
user.  This is a security risk (imagine a user fooling you into
running su from his seeeion or an unsecure program lying in your
$HOME/bin directory).  Indy has the same problme than RedHat.  Caldera
resets root to his normal path but I hadn't time to implement the
Caldera solution in Indy.

However the basic problem is that nothing forces the user to use the
root account for the tasks it is intended: system administration.
Root should have a path with only the minimal set of commands for
system administration in it.  Of course root can change his path but
then he is responsible of what happens.

> >> >IF we could make a GUI for IPchains, and make it easy,
> >> >it would be something that would get a lot of good
> >> >publicity for us.
> >IPchains is very advanced networking, not exactly our ecological niche.
>    I think this is exactly our niche.  We are making a complex system,
> Linux, simple for the new user.  All you have to do is the on the Linux
> security news group and read about people who are rooted within HOURS of
> setting up on the cable modem. <cable modem = big switched network>  Users
> NEED some security, but the ability to manage it.  Some kind of GUI for
> hosts.allow and hosts.deny and basic IPchains functionality needs to be
> done.  If not by us, by someone.  And if it is by us we will get a LOT of
> publicity.  Just my 2 cents worth. :-)

Look at kfirewall.  I have tried the linuxconf module and I wasn't
convinced: in fact the problem is that it is easy to define rules but
making linuxconf activating them is difficult to find.

>             Lee

			Jean Francois Martinez

Project Independence: Linux for the Masses