From owner-freebsd-questions  Thu Feb 22  1:38:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id C882937B401
	for <freebsd-questions@freebsd.org>; Thu, 22 Feb 2001 01:38:09 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 22 Feb 2001 01:35:41 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1M9bQT90867;
	Thu, 22 Feb 2001 01:37:26 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 22 Feb 2001 01:37:18 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Ted Mittelstaedt <tedm@toybox.placo.com>
Cc: Doug Young <dougy@bryden.apana.org.au>,
	Macrolosa <edvard@post.omnitel.net>, freebsd-questions@FreeBSD.ORG
Subject: Re: login-MODEM
Message-ID: <20010222013718.G89396@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <00dd01c09c49$494b6f40$847e03cb@apana.org.au> <004701c09cad$b8c88c40$1401a8c0@tedm.placo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <004701c09cad$b8c88c40$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Thu, Feb 22, 2001 at 12:59:10AM -0800
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, Feb 22, 2001 at 12:59:10AM -0800, Ted Mittelstaedt wrote:

[snip]

> There's nothing to running a shell server as long as you take a few simple
> precautions.

*boggle*

It is pretty much assumed that if a user can get local, he can get
root. For recent FreeBSD examples, take the /proc holes (and there are
probably more) used to get the webserver. OpenBSD had some chpass and
others publicized back in October. And this is my favorite, pretty
much EVERY SINGLE Solaris BOX IN THE WORLD has a particular local root
exploit that has no reasonable work around or vendor patch.

> Your way overstating the security risks here.  What risks?!  There's nothing
> that a user can do on a shell server that they can't do already by setting
> up a
> UNIX system and dialing into us, except for screwing other users on that
> server,

And everytime some kiddie nukes the server and uses your bandwidth to
scan half the Internet for portmap, you have to fix it and get all of
the hate mail.

> Rubbish - your making things way hard for yourself.  UNIX already has
> excellent security for this - you just need to understand it.

UNIX does not have strong security. It was not originally designed for
security. That's not to say it is not as strong or stronger than the
other extremely popular operating systems of today, but those are very
weak too.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message