Re: per session access to drives

Alex Belits (
Thu, 15 May 1997 15:08:35 -0700 (PDT)

On Wed, 14 May 1997, Alan Cox wrote:

> > I.E. "I can't acutally DO anything on this machine, because I accidentally
> > nuked /bin and /sbin, but I assume that nobody is smart enough
> > to be able to replace them."
> And it works. One of the best web server security tricks I ever saw was a web
> server, with no useful additional binaries, remote database querying for
> its database, and its entire file system burned onto a CD. Nobody is going
> to put porn gifs on that one in a hurry
> Neutralising services is a great strategy. You can't hack a pocket calculator
> much because it has nothing to hack.

Service != binary. Service that is running, can be vulnerable or not,
can provide access to something that is vulnerable, etc. Binary is just
sitting somewhere on the box, and unless it's usable for breakin while
remote user have not bypassed/altered security of service that can run
executables, (say, telnet/shell or http/cgi), it isn't of any danger, and
once remote access is gained at the extent that arbitrary executable can
run with root privileges, "disabling" executables is useless -- system can
be considered lost regardless of that.


P.S. Any system has a condition where its functionality is lost and can't be recovered on its own. It's silly to plan system security of home PC to survive "denial of service attack" performed with a nuclear bomb.