[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)

Subject: Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Fri Aug 17 14:50:55 2001
Organization: nobaloney.net
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Ted Behling wrote:

> I feel the same way sometimes.  I stopped using the Web control panel long
> ago, after it wouldn't let me format my DNS zone files the way I wanted and
> completely redid my named.conf file when I added a zone.

This sounds like something I could have written, Ted, except that I just
stopped using the gui for DNS.  We did a lot of secondary DNS hosting
for other ISPs at the time, and it just would have taken too long to not
use our own in-house developed tools.

Now, however, we're using the gui again for minor changes, since we make
all DNS changes with command-line tools compatible with the gui.  And it
helps of course that we sold our secondary-DNS hosting divison <smile>.

(Probably starting another, though that's another story <wry grin>.)

> I've been using
> Linux since before RedHat was popular, and find that the GUI gets in my
> way.  As a personal feeling, I don't trust the GUI -- everything runs as
> root, and I wonder how many people outside Sun/Cobalt have done a full
> source-code security audit of it?

Again this _could_ have been written by me.  My first Linux was kernel
v. 0.9, as distributed as part of a slackware distribution in Winter
'94.  That machine ran almost three years as I recall, with extremely
limited reboots.  I no longer like dealing with slackware, for reasons
that shall remain offlist <smile>.  I agree that the gui runs everything
as root, but I think it's unfair to say that's therefore insecure.  Some
of the scripts I've got for remote operation of my "straight" linux
systems also runs as root; they need to, to do what needs to be done, in
many cases.  While some programs can be run as other users besides root,
many must be run as root, and that's hardly Sun/Cobalt's fault.  No, I
have no idea if they've had an outside security audit done or not, but
results show me that except for one period about five or six months ago,
they're in general a lot more secure than, for example, Windows 2000
<wry grin>.

So where's the "meat" of my post?  Simply this:  If you're using the
gui, you should be using it over a secure connection.  To do that
install a secure cert on your "admin" webserver; in the RaQ3 and above,
it'll handle it fine without any kind of patching.  If you don't want to
spend money on a cert, self-publish one.  And of course install SSH,
test it, and turn off telnet BEFORE you connect the box to the network.

> The system works great as a stepping stone for the NT/IIS point-and-click
> crowd, for whom it is designed.  Clearly, if you're a Linux guru, you'd
> feel less frustrated by installing RedHat on a nice Dell server.

Funny you should say that.  I find myself more frustrated with
NT/W2k/IIS than I could ever become with linux.  We support one W2k box
(which I'd love to replace with _any_ RaQ appliance, btw <smile>).  We
recently found it involved in a DOS attach against a porno-web-server.

Talk about mixed emotions.  I almost wanted to leave it on <grin>.  But
we ended up rebuilding the entire box, from a formatted hard-disk. 
Turned it on, attached it to the Internet, and did a web-based install
of SP2, not having the SP2 CD.  Then installed the various patches
issued since SP2.

Then we noticed it had already started back the DOS attack.  It seems
the box was hacked during the reinstall of SP2, which we could ONLY
install over the 'net; we had no other option at the time.

We finally stopped the attack by turning off the default website.  We
never use default websites, finding them much easier to hack than
virtual sites (and that goes for Linux, Unix, and Win NT/W2k).  I'm
leaving the machine in service with the default website turned off...
and watching the MRTG logs, generated on another, uninfected (Linux)
system.  So far so good.

> I respectfully disagree with your reference to "real" Linux.  As I'm sure
> you are aware, there is no One True Way when it comes to Linux.  RedHat is
> not the only, or necessarily the best, way to put together a Linux
> environment.  Just because one server's file structure differs from the
> next doesn't mean one is wrong.

Not sure whether to take this as an anti-Red Hat diatribe or not
<smile>.

Happy computing, good luck keeping the worms at bay <smile>.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205

Follow-Ups:
- Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
  - From: Ted Behling

References:
- [cobalt-developers] Webmin
  - From: Chaim Krause
- RE: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
  - From: Ted Behling

Prev by Date: [cobalt-developers] PHP
Next by Date: [cobalt-developers] (no subject)
Previous by thread: RE: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
Next by thread: Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index