[ale] Help with server setup
Ed Cashin
ecashin at noserose.net
Tue Sep 15 22:01:53 EDT 2009
On Tue, Sep 15, 2009 at 4:47 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> There's all kinds of hardening that can be done. Disable root login,
> remove mount command, make the entire / directory read only. You have
> to balance security locks vs. usability.
I see, yes. I suppose I figure that exploits come along every so
often that give folks root via strange stuff like,
* buffer overflow in httpd allows arbitrary command to run
as "web" user
* as web user, elevate to root using a local root exploit
* as root, remount / as read-write
* profit!
(I could not resist an underpants gnomes reference. ;)
There's a balance in security, but I like the way the FreeBSD
immutability provided an easy way to take much of the danger
from privilege escalation without more inconvenience than I
felt comfortable with, since I knew I didn't have time to fix
the system right away if something had happened.
--
Ed Cashin <ecashin at noserose.net>
http://noserose.net/e/
More information about the Ale
mailing list