RE: A question of Security

jt@npdaxp.fuw.edu.pl
Thu, 16 Dec 1999 16:39:41 MET


>From: "David W. Robinson" <dwrobinson@socalled.com>
>To: linux-net@vger.rutgers.edu
>Date: Wed, 15 Dec 1999 17:14:19 -0800

>I am currently trying to convince our network people of the safety of
>using a Linux machine as an internet server, running Apache and
>Realmedia Streaming Media. What I am looking for is evidence,
>articles, papers etc that compares the security of a linux server against
>the security of a box running Solaris and other common Unix
>Operating systems. Can anyone help by pointing me in the right
>direction, or sending me material to use in the defense of Linux?

Intuitively seems a system with full source available is more
sensitive because a hacker can look sources, find a bug there
and use it to break system security. However, after one of our
Linux machines was compromised I looked into sources trying to
find the security hole the hacker used (knowing well _HOW_ he
did it), and failed to find it - it was too much work for me.
Anyway, I suppose a hacker who has a lot of time can try to
find bugs this way and use them to break security.

Because our department has a lot of computers (I cannot even
approximately say how much: 200? 300? more?) I have some info
from practice. We have few SUN Solaris systems, and there were
1-2 security breaks a month, so we put a firewall. And I know
about two Linux machines which were compromised - they were
running old versions of Linux, like kernel version 2.0.30 or
similar, and later there were lots of breaks there (seems
hackers noticed there are hosts not protected by a firewall,
and attacked them frequently). I asked many people about the
security hole the first hacker used, and someone wrote it was
fixed in RedHat 5.2 (w/ kernel 2.0.36; the hole was in RPC).
SUN-s were compromised earlier, in spite they were controlled
by people well knowing security problems.

If security is important, maybe better choice is VAX or Alpha
with VMS - if this system is acceptable. We know no case of
compromising our VMS machines in spite they are excluded from
firewall protection. And I know about exactly one case of
compromising of a VMS host in place I was working in - there
was a script which could be copied to VMS host via DECNET and
allowed shell commands there; a way to protect from it was
disabling write to default directory of DECNET, and making
all writable directory names at least 15 char long (it used
some directory to write logs, normally the default directory,
and it was possible to send a script there, and invoke it;
but system limits name of script to invoke to 16 chars, and
it is not possible to use it in case the dirname is too long);
anyway, the harm was not serious since DECNET has almost no
privileges - like "guest" or "nobody" on most systems. In VMS
there is no "buffer overflow" security hole due to different
method of passing buffer, always with correct length (to pass
incorrect, a programmer must do it purposely, unlike Unix-es
which have gets() function which has no length parameter).
But I do not know if the VMS has what you need, and surely
it is _much_ different from all Unix systems.

Jerzy
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu