Re: tcpdump -z

看板FB_security作者時間15年前 (2010/08/28 02:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串11/13 (看更多)
On Fri, Aug 27, 2010 at 6:20 PM, Aldis Berjoza <aldis@bsdroot.lv> wrote: > On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer <mh@kernel32.de> wrote: >> In fact, I would suggest to disable root, so that su - doesn't work at >> all. >> >> ./Marian > > Ye, and once sudo is broken (somehow, for whatever reason) you have lot's of > fun (especially on servers) :D Yes. Sudo(8) also just adds another complexity level to a very crucial UNIX authentication mechanisms. I would say that if any of your users need to run root-specific commands (including tcpdump(1)) then something is not right, and it's only a matter of time when you will be having some serious problems. I'm not even mentioning that sudo(8) like any other binary in the system is exploitable and it has a history of security holes (especially in the way it parses its configuration file). Anyway, discussion about including sudo(8) in the BASE comes back here about every five years or so, but as the general consensus is that a *correctly* configured sudo(8) is not that bad, it's not that good either for being a substitute for an overall solid security policy. Andy _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 akosela. 的文章
文章代碼(AID): #1CT_rcxF (FB_security)
更多 akosela. 的文章
文章代碼(AID): #1CT_rcxF (FB_security)