Your Distro is Insecure: Ubuntu
Kees Cook
kees at ubuntu.com
Tue Apr 14 16:23:05 UTC 2009
On Tue, Apr 14, 2009 at 06:09:39PM +0200, Ante Karamati?? wrote:
> Next are users with /bin/bash. If those users would have /bin/false,
> they won't be able to run jobs from cron.
The idea that setting a shell makes a service user vulnerable to
exploitation is ridiculous. If a service were exploited, the attacker
would have arbitrary code control, and could spawn whatever program they
wanted, regardless of the configured shell.
And besides, several of those services (cups, mysql, bind9, with dhcp added
in 9.04) are confined with AppArmor, so it matters even less.
> Of course, there are some valid points, but also lots of nonsense.
If we're going to nitpick, how about "buffer overload"? That is an
extremely uncommon phrase to use to mean "buffer overflow". Getting this
wrong would seem to indicate a lack of real understanding in this area.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-server
mailing list