You have to think carefully about the question you are asking. If there are two known remote exploits, what do you think any studies would show you? Less exploits? More exploits? If more, wouldn't that make it into the "known" exploits list, unless it's a private study where nobody can get access to the results? If that's the case, wouldn't we be going back to the "only two known remote holes" since no one knows about the other stuff?
On your other question - if you hang a root shell off port 80, without password requirements, what happens? Is that a security issue caused by openbsd, or by someone ignorant of how to set up security? Now, you want to use php, a notoriously insecure piece of crap - what do you think would happen? And you seriously think chroot will keep a determined person out? Lots of "how to break out of chroot" articlea out there, though I have not looked into how well those work on recent openbsd installs. In otherwords, you need to learn a lot more, and spend a lot of time thinking about what you want to do and figuring out exactly what you want to ask and/or do. On 4/26/09, Jean-Francois <jfsimon1...@gmail.com> wrote: > Hi All, > > My question is in two parts. > > First considering the default install, assuming that one box should be > only used for exapample as a firewall, how good is the security level ? > I mean I know there are only 2 remote holes in 10 years, but my qustion > is do we have any experience about the level of security such as studies > that demonstrated the failure to break into the default system for > example ? or any other experience in regards with that ? > > On the other side, now if we assume that one box should be used to host > a website, there are ways that the code such as php + mysql will be > breakable into. My question is that considering the chroot, can we > consider that the supposed hacker can never evade from the chroot by any > mean, even after he will be able to upload and execute files directly on > the web server ? > > Thank you a lot for your clarifications, > > Kind regards > > J-F > > -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
