Re: SECURITY PROBLEM: autofs [all versions]
Adam Heath wrote:
>
> On Mon, 3 Jul 2000, Christopher W. Curtis wrote:
>
> > Anthony Towns wrote:
> > >
> > > On Fri, Jun 30, 2000 at 08:52:23PM -0400, Christopher W. Curtis wrote:
> > > > [...] filed a bug report against autofs
> > > > and marked it as release critical. I have heard nothing for the past
> > > > two (three?) days and need to make this known: [...]
> > >
> > > The bug tracking system has been playing up over the last couple of days,
> > > it should be fixed now.
> > >
> > > > [sneakernet to victim]
> > >
> > > Alternatively:
> > >
> > > [sneakernet to victim]
> > > hit reset button, or toggle power switch
> > > put bootable disk in drive
> >
> > BIOS doesn't boot from floppy.
> > BIOS has password.
> > Server is down, people are screaming.
>
> System as shipped boots from floppy.
> System as shipped does not have password.
So your answer is that basic security is not important enough to give
users out of the box? Is there a 'hardening debian' guide somewhere
that says, "By default, all Debian installations are subject to the
following root compromises - you can fix each of these by doing a) b)
c). While we have the ability to fix these for you before shipping you
an insecure OS, it's simply too much trouble to change one line in one
file when security is the concern of the person who installs the system,
and not the concern of the people releasing the system."
Or is it simply a matter of, "Well, to make it hard to beak in, they
have to do a) and b) anyways, so while they're at it, they can just go
ahead and do f) - l) as well".
I thought Debian was all about high-quality releases - if you want to
take a microsoft style approach to security, why bother waiting for the
software to stablize either?
Christopher
Reply to: