[ale] Linux Distributions

[Jim Popovitch]

On Tue, 2005-05-17 at 20:07 -0400, Jason Day wrote:
> On Tue, May 17, 2005 at 05:50:23PM -0400, Jim Popovitch wrote:
> > On Tue, 2005-05-17 at 17:07 -0400, Jason Day wrote:
> > >
> > > A spam relay daemon cannot bind to port 25 unless it is started as root.
> > > That makes it less useful, since clients must be reconfigured to use a
> > > nonstandard port.
> > 
> > First, please define "spam relay daemon".  Specifically what do you mean
> > by that?  Btw, an open relay is an entirely different thing.  Most
> > zombie spam agents don't run as standard smtp servers, nor do they need
> > to.
> 
> It's just a hypothetical example I made up.  Yet another attempt at
> making a point that was completely lost.

So, there is no specific case?  I fail to see where there would be one,
I suppose there could be one, I just haven't seen it yet.

> > > While it is certainly possible to run a remote-control daemon as
> > > non-root, it won't be able to hide itself and can be trivially detected
> > > and killed.  A remote-control program that is installed and run as root
> > > as part of a trojan or other malicious program however can also replace
> > > system files like netstat and ps, or even install kernel modules, to
> > > avoid detection.
> > 
> > There are way too many assumptions in those statements.  If I run as
> 
> Please tell me what assumptions you're talking about.

Here's the two bigs ones:

   -a remote-control non-root daemon that can't be hidden. This all
depends as well upon who is looking for it and what host permissions
they have (this is a non-root discussion after all)

   -"a remote-control program that is installed and runs as root as part
of a trojan"  What are the parameters under which it is installed?  What
if /usr/src and /boot, etc are all chattr +i or mounted ro?

> > root I can easily (and so can software that I run) find hidden and
> > zombied processes.  This is NOT true if I run as a non-root user.  Root
> > enables me to be secure. ;-)
> 
> Are you familliar with rootkits?  Are you really claiming that you can
> easily detect and kill a malicious program with a rootkit installed?

Yes.  Are you familiar with chkrootkit, it can identify *known* rootkits
(of course that leaves you with the unknown user-based malware).  Can
they be cleaned sure, at least to some extent.  Is it worth burning the
box, possibly, but not always.

> What if the software that you run has been replaced or disabled by the
> rootkit?  What if netstat, ps, lsof, and other system tools have been
> replaced?  What if a kernel module that intercepts syscalls in order to
> hide a malicious process has been installed?

Time to re-install.  How is this different if you run as root all the
time vs running as a user?   Rootkits can be installed without someone
operating as "root" all the time.

> > > As I said before, a linux box connected to the internet with an
> > > always-on connection like DSL or cable, is, for all intents and
> > > purposes, a server.  
> > 
> > No it's not.
> 
> Nice argument.  Care to elaborate?

Sure.  There are a TON of linux appliances.  Linux firewalls, gateways,
DSL routers, SetTop boxes, etc.  All on very high speed networks.

> > > The fact that these arguments are 20 years old
> > > lends them more credibility, not less.
> > 
> > So, it should be easy to give a non-refutable example then, right?  Why
> > is this thread approaching 50+ posts if the argument is so credible?
> 
> As far as I can tell, two people are making a claim that defies common
> wisdom, and the rest of us are trying to refute the claim.  

Claims shmains... where's the beef?

> The fact
> that the two people making the claim have egregiously trolled this list
> in the past seems relevant to point out.  I'm sure that Drew is
> gleefully enjoying the results of his innocent little remark about
> running everything as root.

I'm a troll because I make counter claims and ask for evidence?  Nice.

-Jim P.