[ale] Linux Distributions

Jason Day jasonday at worldnet.att.net
Tue May 17 20:24:12 EDT 2005


On Tue, May 17, 2005 at 05:50:23PM -0400, Jim Popovitch wrote:
> On Tue, 2005-05-17 at 17:07 -0400, Jason Day wrote:
> >
> > A spam relay daemon cannot bind to port 25 unless it is started as root.
> > That makes it less useful, since clients must be reconfigured to use a
> > nonstandard port.
> 
> First, please define "spam relay daemon".  Specifically what do you mean
> by that?  Btw, an open relay is an entirely different thing.  Most
> zombie spam agents don't run as standard smtp servers, nor do they need
> to.

It's just a hypothetical example I made up.  Yet another attempt at
making a point that was completely lost.

> > While it is certainly possible to run a remote-control daemon as
> > non-root, it won't be able to hide itself and can be trivially detected
> > and killed.  A remote-control program that is installed and run as root
> > as part of a trojan or other malicious program however can also replace
> > system files like netstat and ps, or even install kernel modules, to
> > avoid detection.
> 
> There are way too many assumptions in those statements.  If I run as

Please tell me what assumptions you're talking about.

> root I can easily (and so can software that I run) find hidden and
> zombied processes.  This is NOT true if I run as a non-root user.  Root
> enables me to be secure. ;-)

Are you familliar with rootkits?  Are you really claiming that you can
easily detect and kill a malicious program with a rootkit installed?
What if the software that you run has been replaced or disabled by the
rootkit?  What if netstat, ps, lsof, and other system tools have been
replaced?  What if a kernel module that intercepts syscalls in order to
hide a malicious process has been installed?

> > As I said before, a linux box connected to the internet with an
> > always-on connection like DSL or cable, is, for all intents and
> > purposes, a server.  
> 
> No it's not.

Nice argument.  Care to elaborate?

> > The fact that these arguments are 20 years old
> > lends them more credibility, not less.
> 
> So, it should be easy to give a non-refutable example then, right?  Why
> is this thread approaching 50+ posts if the argument is so credible?

As far as I can tell, two people are making a claim that defies common
wisdom, and the rest of us are trying to refute the claim.  The fact
that the two people making the claim have egregiously trolled this list
in the past seems relevant to point out.  I'm sure that Drew is
gleefully enjoying the results of his innocent little remark about
running everything as root.

-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list