[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to block telnet access.



On Sun, 26 Sep 1999, Adam Morrison wrote:
> 
> Sorry, but you are in trouble.  If you have untrusted users on your system,
> then your security is broken by definition (and in practice).
> 

I Disagree. There's no such thing as a perfectly secure system, but it's
quite possible to build a system which is hard to compromise --- even from
the inside.


> Theoretically, you could try to build a chroot() jail for them. 
> Unfortunately, doing this correctly isn't quite trivial and does not protect
> you from all the threats.  Worse, assuming these people need to get some work
> done, they'll need access to (potentially vulnerable) applications and
> directories and the `security' of the jail gets evenworse.
> 

Practically all security measures aren't trivial --- and require a
competent admin. Is that the case here ?

(IMO, if going for security, some _basic_ questions need to be asked ---
starting with - why linux ?).

> FreeBSD has a jail(2) facility for similar purposes, but even that isn't
> perfect.
> 

SeOS is quite nice --- however, it's an incredible hassle to admin. above
a certain (small) size, you practically need a SeOS admin, from my
experience.


> This appears to be a political problem, not a technical problem.  Untrusted
> users on your system will lead to a security breach; the decision needs to
> be made as to what is more important.
> 

having a machine turned on will lead to a security breach. the question is
how easy is it to compromise the machine.

-- Ors.



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il