[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Antivirus? (and firewalls)
> >For now we have no virusses on Linux but setuid programs could be used
> >for spreading them. Of course it is far easier to keep track of a few
> >setuid programs as of every program like it happens in Linux. However
> >sooner or later measures will have to be taken for ensuring root
> >doesn't run unsecure software.
> One of the best ways is to insure that everything can be easily done as a
> user with su. If there is no reason to log in as root, people will log in
> as eLiTe hAkOr instead. :-)
Running through "su" is no protection at all. In addition RedHat
makes you run it using exactly the same path as when you were noral
user. This is a security risk (imagine a user fooling you into
running su from his seeeion or an unsecure program lying in your
$HOME/bin directory). Indy has the same problme than RedHat. Caldera
resets root to his normal path but I hadn't time to implement the
Caldera solution in Indy.
However the basic problem is that nothing forces the user to use the
root account for the tasks it is intended: system administration.
Root should have a path with only the minimal set of commands for
system administration in it. Of course root can change his path but
then he is responsible of what happens.
> >> >IF we could make a GUI for IPchains, and make it easy,
> >> >it would be something that would get a lot of good
> >> >publicity for us.
> >IPchains is very advanced networking, not exactly our ecological niche.
> I think this is exactly our niche. We are making a complex system,
> Linux, simple for the new user. All you have to do is the on the Linux
> security news group and read about people who are rooted within HOURS of
> setting up on the cable modem. <cable modem = big switched network> Users
> NEED some security, but the ability to manage it. Some kind of GUI for
> hosts.allow and hosts.deny and basic IPchains functionality needs to be
> done. If not by us, by someone. And if it is by us we will get a LOT of
> publicity. Just my 2 cents worth. :-)
Look at kfirewall. I have tried the linuxconf module and I wasn't
convinced: in fact the problem is that it is easy to define rules but
making linuxconf activating them is difficult to find.
Jean Francois Martinez
Project Independence: Linux for the Masses