[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
- Subject: Re: [cobalt-developers] Cobalt vs. "real Linux" (WAS: Webmin)
- From: Ted Behling <TBehling@xxxxxxxxxxxxx>
- Date: Sat Aug 18 01:53:03 2001
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
Thanks for your message, Jeff! I really enjoyed reading your comments.
Responses are intertwined.
At 08:15 PM 8/17/01 -0700, Jeff Lasman wrote:
>I agree that the gui runs everything
>as root, but I think it's unfair to say that's therefore insecure. Some
>of the scripts I've got for remote operation of my "straight" linux
>systems also runs as root; they need to, to do what needs to be done, in
>many cases. While some programs can be run as other users besides root,
>many must be run as root, and that's hardly Sun/Cobalt's fault. No, I
>have no idea if they've had an outside security audit done or not, but
>results show me that except for one period about five or six months ago,
>they're in general a lot more secure than, for example, Windows 2000
><wry grin>.
Well, sure, Linux is more secure (and more easily securable) than Win32 any
day.
I agree that the admin section needs to run as root, but I think the system
can do more with the concept of "least privilege". I would've run Apache
HTTPD and the Perl scripts as an unprivileged user, and call setuid scripts
to do the gruntwork of changing files' contents and handling daemons. To
get around the problem of everybody being able to run the scripts on their
own, set up a new group and user called "adminsvr" or some such, run the
server as adminsvr, chown your dirty-work scripts to root.adminsvr, and
"chmod u=rxs,g=rx,o= name.pl".
>So where's the "meat" of my post? Simply this: If you're using the
>gui, you should be using it over a secure connection. To do that
>install a secure cert on your "admin" webserver; in the RaQ3 and above,
>it'll handle it fine without any kind of patching. If you don't want to
>spend money on a cert, self-publish one. And of course install SSH,
>test it, and turn off telnet BEFORE you connect the box to the network.
You could even bind the admin server to only localhost, and connect via an
SSH tunnel a la my previous message... Actually, if I were still using the
GUI, I'd do that.
>> I respectfully disagree with your reference to "real" Linux. As I'm sure
>> you are aware, there is no One True Way when it comes to Linux. RedHat is
>> not the only, or necessarily the best, way to put together a Linux
>> environment. Just because one server's file structure differs from the
>> next doesn't mean one is wrong.
>
>Not sure whether to take this as an anti-Red Hat diatribe or not
><smile>.
Sorry, I should've written that differently. RedHat is actaully my
favorite Linux distro (used to like Debian, just because it was my first
one). I just wanted to make it clear that although RedHat is popular,
other distros aren't doing things incorrectly because they lay their files
out differently. I think the original thread was something like "Why can't
I take config files from my Cobalt and put them on my internal server
(probably RedHat) and have them work?"
--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.
43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894 Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------