[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: httpd installed by default on desktops! bad gnome-user-share, bad!

On Mon, Apr 09, 2007 at 12:06:14PM -0400, Jesse Keating wrote:
> Perhaps this conversation belongs in upstream gnome, but it starts an http 
> session AS the user for the specific directory the user wants to share.  
> Other than the knee jerk "OMG http is running!" reactions, what is the major 
> problem here?

We've come a long way in reducing out-of-the-box vulnerabilities in Fedora
since the Red Hat Linux days. SE Linux and other "overlay" security measures
are good, but the major factor is: don't install complicated network servers
by default. This is serious backsliding.

We can count on everyone applying security updates for supported releases.
(Of course we can!) But, every couple of days someone on fedora-list posts
questions about Fedora Core 4 or older. "It works fine, I can't bother to
upgrade right now." The more stuff like this we ship, the more those people
are going to be part of botnets.

We can say "tough, their problem" -- just like historically a certain big OS
vendor I hate to bring into the conversation for Godwin's law-related
reasons -- but that's irresponsible. If we stop caring about this issue,
it's only a matter of time before "Linux Security Worse than Proprietary OS
/ Linux-based Worm Brings Down The Internets!" is the headline news -- and
it'll be right.

Matthew Miller           mattdm mattdm org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]