[mdk-re] [Fwd: [expert] Re: Structural security problems in Redhat 7]

Aleksey Novodvorsky =?iso-8859-1?q?aen_=CE=C1_logic=2Eru?=
Вт Янв 23 23:49:00 MSK 2001 

Hi!
Может быть, это будет интересно системным администраторам. Bernhard
Rosenkraenzer (Bero) сейчас работает в RH, года полтора назад -- в
MandrakeSoft.

Rgrds, AEN

-------- Original Message --------
Subject: [expert] Re: Structural security problems in Redhat 7
Date: Tue, 23 Jan 2001 21:13:08 +0100 (CET)
From: Bernhard Rosenkraenzer <bero на redhat.de>
Reply-To: expert на linux-mandrake.com
To: Jean Francois Martinez <jfm2 на club-internet.fr>
CC: <redhat-devel-list на redhat.com>, <expert на linux-mandrake.com>

On 23 Jan 2001, Jean Francois Martinez wrote:

> Isn't RedHat playing with fire and making us play with fire by using
> software who is either a regular provider of security problems ie
> wu-ftpd (what is wrong with proftpd?)

proftpd is at least as much of a security problem as wu-ftpd.
Take a look at some older bugtraq postings and you'll find proftpd used
to
be the exploit-of-the-week daemon for quite some time.

It hasn't had many issues recently (neither did wu-ftpd), but I
personally
still wouldn't trust it.

Another point is that we have several people we can shout at if
something
goes wrong in wu, and therefore, we can fix problems faster if they turn
up. There probably aren't any security problems left though, several
people have proofread the code and haven't found anything.

Also, it doesn't have all the features many people are used to have.

> or software who is _structurally_ unsecure like sendmail?

I personally don't understand it either, I've been pushing to replace it
with postfix for quite a while.

The main arguments I've heard against this is "we can't enforce changing
smtp daemons on everyone", "some people need sendmail's special
features"
(/etc/sendmail.cf may be the most complicated file on a system,
therefore
it's also the most powerful ;) ), "sendmail is standard and used
virtually
everywhere" and "sendmail has been in use forever (therefore had much
more
testing)".
The last argument actually makes some sense - there haven't been any
critical security problems with sendmail lately.

> I also don't understand why RedHat doesn't use its own excellent lokkit in the
> installation.

This or something similar might happen in a future version.

LLaP
bero

Подробная информация о списке рассылки community