On Thu, Sep 27, 2001 at 09:30:30AM +0200, Henrik Edlund wrote: > I do feel lucky. If not for Mandrake I would be running ancient SuSE 7.1 > now. Still, looking at the number of employees at Mdk, one seem very > little.
Not really when you realize that there really is more than one person contributing here. We've had several other Mandrake folk post on this list about various things. Almost all of the packages were taken from the x86 distribution and rebuilt for ppc. Security is being done by vdanen who does all the security and is also on this list and posting. So that leaves Stew to do all the specific ppc things and figure out why some packages don't rebuild/work on ppc. Basically Mandrake is leveraging the existing work that has been done for x86. So really I don't think one person is all that silly. > I don't like tools I have not written myself that run and change file > permission and alter files on my system. I prefer to have the control > myself. With 9 years of UNIX sysadmin experience I know exactly where the > vunerabilities are. Also this is a single user client (my personal laptop) > so "default" permissions on files with all daemons off except postfix > (which only listens on localhost, this is something it should do as > default by the way when installed, so that the sysadmin has to alter > main.cf and make it listen on eth0, etc), ntpd (which can only receive > traffic from its time server as all others are "iptable:ed out"), and pmud > which also only listens on localhost, is secure. I know what I am doing. That's great, but the defaults as you call them are set by msec on Mandrake. If you don't want it to do anything set you security to Low and it will do minimal things.. > It is maybe good for users who want a way to change their system to a more > insecure or people who are not used to running a server and need a easy > way to secure their server by _obscurity_. msec is *NOT* obscurity. The source is freely available for anyone to look at. Not to mention that everything it does is documented at: /usr/share/doc/msec-0.15/security.txt So if msec is obscure than Solaris sure as hell is obscuree (FYI I run Solaris too on some of my servers). >I am running Slackware and > Solaris on the servers I admin. :-) Mandrake is though my choice for a > desktop/workstation distro. If I want someone else than root:root to own > files (outside /home) I can chown them myself and change permission and > umask, I then have control and know where it has been done and why. > Tools like this should really be optional and not tightly integrated. Of > course it is a very good written product, but as I said, GNU/Linux is > built on freedom of choice. I prefer to have the choice to say, "no, I can > handle this myself", even on my workstation. You'll note that at Level 3 the only thing it does is set the umask to 022 which is probably what you want anyway. It doesn't touch any file permissions. Mostly what it does is tell you when something is wrong. Ultimately msec if setup properly won't do anything you don't like. If you're really paranoid edit /etc/security/msec/ to your liking. However, I'm pretty sure removing msec will cause you problems down the line installing updates. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "Before you set out for revenge dig two graves." - Chinese Saying
