On Fri, 25 Oct 2013 14:21:37 -0600 Bob Proulx <b...@proulx.com> wrote:
> recovery...@gmail.com wrote: > > Bob Proulx wrote: > > This is not entirely correct. Sudo is considered third-party software > > in HP-UX (HP merely builds it and doesn't install by default), AIX (not > > provided by IBM and therefore not supported) and Solaris (third-party > > software without any support in versions =< 10). About the only > > exception is Solaris 11 which provides sudo in default install (and it > > is configured the same way as in Ubuntu by default). > > It is certainly fair that you would take exception to my words (since > I often do that to others!) but I said "on" those not "distributed by" > them. ;-) I didn't say the vendor distributed it. Indeed you didn't. My sincere apologies just in case. > Most of those systems ship very little by their vendors. I have used > them for many years and almost all of the software that you will use > on those systems will have been compiled and installed by the local > admin. IMNHO they are mainly a good solid base upon which you as the > local admin build the working system upon. And for me if we are > talking about what we compile locally from source I would need to look > but the list is several hundred packages long! Oh. You mean that HP suddenly transformed to good fairies and stopped charging extra for aCC? Or IBM received an encrypted signal from their supervisors from Mars and did the same to vacc? And don't even mention Sun, those guys managed to build their base system with two different C compilers at once (gcc and that thing they put in Sun Studio instead of C compiler). As for 'solid base'… C'mon, treating openssh as a third-party tool? No meaningful firewall in default install? Telnet and FTP (root is allowed by default) enabled by default and are listening 0.0.0.0? Mandatory access control as a paid feature? Clearly our definitions of 'solid base' are different. >> > Considering that primary usage of sudo is to provide controlled > > privilege escalation to uid=0, using unsupported (therefore - not > > updated unless local sysadmins care about security) sudo on these > > OSes is basically equivalent to giving everyone uid=0. > > You left the large "unless local sysadmins care about security" escape > clause there. But what about if the local admin *does* care about > security? In that case you can have a system with _better_ security > than that provided by the vendor. If local sysadmin cares about security then that site is truly blessed. No irony. See, I earn my salary for solving problems with certain proprietary cross-platform software. As a part of job, I visit may different places, and what do I see there? Outdated (like, 10 years outdated) SSH clients. Passwords stored in a plain text files in a recyclebin (or on a sheet of paper under the keyboard). Telnet as a primary administration tool (because 'terminal looks funny in a SecureCRT if I use SSH'). Cargo cult as the main method of configuring servers. Advices such as 'disable encryption in SSH, our server's CPUs cannot handle encryption' (copying files with scp from one Superdome to another). Complete inability to grasp even basic concepts of TCP/IP (we have network guys, they handle it). 'We're using VLANs so we don't need to encrypt anything'. 'We've installed antivirus everywhere = we're secure'. And last, but not least - 'security is complex, security bores me, security breaks our system'. And they are not Joe and Jane the Average End Users. They are sysadmins :( Not that UNIXes are that bad. It happens for any OS, GNU/Linux included. > And even in the case of an overworked and somewhat slack admin the > system security with source sudo installed but old is probably about > the same as the provided by the vendor. Vendors don't update their > software that often and usually not without something pushing them to > do so. Sudo had vulnerabilities that lead to gaining root access by exploiting them. And people will use is as vendors won't provide them any meaninful way to update all installed software at once. Therefore - using outdated sudo is an equivalent to wearing T-shirt with a root password written on it as an end result will be the same. > For improved security a system with many eyes upon the code such as > Debian is much better. Anyone using a traditional legacy Unix system > today is most likely not using it for the security of the system but > for other aspects of it. That's true, but. I didn't implied that proprietary software is insecure (although, honestly, it is :) given what kind of people actually writing it today) a priori, I meant that using outdated tool for gaining security actually lowers it. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026010704.c520162a574e2d5d01ccf...@gmail.com
