[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] CGI Script Question
- Subject: RE: [cobalt-users] CGI Script Question
- From: Steven Werby <steven-lists@xxxxxxxxxxxx>
- Date: Sun Aug 13 21:59:13 2000
On Sun, 13 Aug 2000, Jimmy Gross wrote:
> I am very much aware of network security policies and procedures since that
> is the business I am in.
Super. I hope you know that my long response was mostly for the benefit
of others who might read your statement about the admin user and think
that taking other smart security related actions is futile.
> What I was pointing out is that "admin" is a common
> login on all raq products and in my opinion is a greater risk than with a
> user that has limited permissions.
Absolutely. But also keep in mind that until recent Cobalt upgrades at
least some of the RaQ line allowed normal system users to potentially
issue commands as root due to a few exploits. Or so I have been led to
believe due to information posted on cobalt.com, security-related internet
sites and the sites of some software I use that is pre-installed or
commonly used on RaQs. And I guarantee that many production RaQs are
still vulnerable to these exploits.
> Most of the users on this list have an
> admin login and with the proper software and enough time their password can
> be easily acquired and hacked into.
For some time I've wanted to modify Cobalt's special sauce to allow me to
rename the admin user to something else without breaking the GUI. I
haven't done so b/c I don't want to deal with the consequences of not
getting it right the first time. Maybe Cobalt will build the
functionality of allowing the server admin to rename the admin user in one
of their updates or future RaQ lines. I wouldn't be surprised if one of
the large hosting companies or more savvy power users has already done so,
but I don't recall reading about it or speaking with anyone who's done so.
> Fortunately, for my company we have a
> security officer with a staff that monitors our networks.
But unfortunately most RaQ owners that frequent this list don't. And even
if the big hosting companies have an entire security department I don't
think they're monitoring their users' log files, checking that their
permissions are correct, checking that their usernames are obscure and
their passwords are not prone to a dictionary attack, etc. That's
generally the role of a server admin. The hosting companies could do it,
but they typically bill at $125-$175 an hour and most of their customers
would not be able to afford any services worth having.
--
Steven Werby {steven-lists@xxxxxxxxxxxx}