From: pjb1008@cam.ac.uk (Peter Benie)
Date: Fri, 11 Feb 2000 09:35:58 +0000
> Anyone who doesn't disable or severely restrict the r-commands is begging
> for trouble: *they* are the security holes here, not CNBS.
I wish people would keep repeating that argument. There are plenty of
environments where the r-utilities are perfectly safe, such as between
hosts in a machine room, where the room has a lock, a burglar alarm,
and random people can't just plug PCs into the network.
No, random people will just break into the RedHat 5.1 (or Slackware 4.x)
system sitting in the back of the machine room, (forgotten, but plugged
into the network) and then run a sniffer. In that case, the lock and
the burgler alarm don't save you. If you're connected to the outside
network, you're vulnerable. Even if you have a firewall, you may be
vulnerable (firewalls have been known to screw up).
It's best to assume that the r-utilities are *always* dangerous, and use
ssh or Kerberos all the time. That way, when someone breaks into one of
your machines on the network, all of the machines on your network aren't
screwed.
Defense in depth.... it's the only way to be sure.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:20 EST