netfilter firewalling problems and solutions

Robert Connolly cendres at videotron.ca
Mon Feb 23 09:48:06 PST 2004


On February 23, 2004 07:50 am, Ian Molton wrote:
> On Mon, 23 Feb 2004 07:19:13 -0500
>
> Archaic <archaic at indy.rr.com> wrote:
> > Agreed. Building as unpriv user is always sound advice.
>
> Kinda hard to see why other than the possibility that your package might
> inadvertently rm -rf / which is a hassle but no security hole.
>
> if you install as root your machine is just as vulnerable as if you
> built as root.

Some packages, like wordperfect8, unpack into / by default. Unpacking as user 
lfs would prevent this kind of insanity. glibc-2.3.2 had a tendency of going 
into an infinite loop durring make, at least if its user lfs there is less 
chance of this consuming all memory.

On another note. I think kernel 2.6 could be considered more secure then 2.4. 
Its shown to have bugs fixed sooner then with 2.4. I'm not sure on the 
numbers for preformance and load handling but from the little I've used it 
I'm guessing 2.6 would preform better then 2.4 (under attack conditions). The 
last few months have shown 2.4's maturity hasn't saved it from having serious 
bugs. There are a few sanitized header projects to choose from.. fedora, pdl, 
not sure who else, they should all be equaly useable. Kernel 2.6 is also at 
about the same maturity level as glibc-2.3.3, so they would be able to mature 
together. I have no idea how well 2.6 works outside of x86. The PaX patch for 
2.6 needs more testing on non-x86 before they will say it works. I'm not 
suggesting nptl yet but this would give almost all the peices so ppl can test 
it if they want (I have never had nptl and pie to work together).

Opinions?




More information about the hlfs-dev mailing list