Re: RedHat security

From: Yuan Liu (yliu@stemnet.nf.ca)
Date: 06/16/02 

From: Yuan Liu <yliu@stemnet.nf.ca>
Date: Sun, 16 Jun 2002 01:30:28 GMT

Thanks for everybody who answers. Guess I didn't make myself quite
clear. I'm not concerned about my box, or even my client's boxes. Once
you are aware of the issues, there are plenty of ways to fend them off.
  I was asking from a product design perspective. RedHat has done a
great job placing finesse in many aspects, but default privileges (and
previously default network configs) were not the most impressive. And
I'm not using the phrase security in the Tom Ridge sense, but in a
broader, traditional Unix sense, where multi-userism is essential. An
incident can occur without any malicious intent but it's still an incident.

For example, one user may find the box running too slow for a specific
task and decide that the box needs a reboot. Guess what? With RedHat,
he can. Think you submitted a heavy job last night and waiking for
results this morning? What confuses me is that the defaults packaged in
RedHat don't always agree with the best practice in the real world. As
the industry is touting Linux as a more secure system than some others,
unsuspecting customers may relate this message to a particular (and
popular) distribution and think that they are buying security out of the
box.

Anyway, I'm just playing with RedHat defaults recently and privilege
management is not the only uncomfortable spot. The some aspects in
"workstation"-"server" differentiation, for example, also makes me
wonder why.

Yuan Liu