netfilter firewalling problems and solutions
cendres at videotron.ca
Mon Feb 23 09:48:06 PST 2004
On February 23, 2004 07:50 am, Ian Molton wrote:
> On Mon, 23 Feb 2004 07:19:13 -0500
> Archaic <archaic at indy.rr.com> wrote:
> > Agreed. Building as unpriv user is always sound advice.
> Kinda hard to see why other than the possibility that your package might
> inadvertently rm -rf / which is a hassle but no security hole.
> if you install as root your machine is just as vulnerable as if you
> built as root.
Some packages, like wordperfect8, unpack into / by default. Unpacking as user
lfs would prevent this kind of insanity. glibc-2.3.2 had a tendency of going
into an infinite loop durring make, at least if its user lfs there is less
chance of this consuming all memory.
On another note. I think kernel 2.6 could be considered more secure then 2.4.
Its shown to have bugs fixed sooner then with 2.4. I'm not sure on the
numbers for preformance and load handling but from the little I've used it
I'm guessing 2.6 would preform better then 2.4 (under attack conditions). The
last few months have shown 2.4's maturity hasn't saved it from having serious
bugs. There are a few sanitized header projects to choose from.. fedora, pdl,
not sure who else, they should all be equaly useable. Kernel 2.6 is also at
about the same maturity level as glibc-2.3.3, so they would be able to mature
together. I have no idea how well 2.6 works outside of x86. The PaX patch for
2.6 needs more testing on non-x86 before they will say it works. I'm not
suggesting nptl yet but this would give almost all the peices so ppl can test
it if they want (I have never had nptl and pie to work together).
More information about the hlfs-dev