On 22 Feb 1998 20:04:41 +1300, Carey Evans wrote: > [EMAIL PROTECTED] (David Stern) writes: > > > What I'm trying to do is make my ppp connection as secure as possible, > > and one of the first things I realized is that whenever I'm running > > dselect, I'm root, and that I might be connected to the internet for > > long enough such that my ip address could be attacked, and I know there > > are different types of attacks, and my assumption was that if I'm > > running as root, then it would conceivably be possible to get root > > access. > > You're not "connected to the net running as root."
Why not? I'm root. I'm running ftp on the net. > Your computer is connected to the net, making all the services in > /etc/inetd.conf and provided by other daemons that are started in > /etc/init.d available to the rest of the Internet. Make sure you > comment out services in /etc/inetd.conf that you don't need, set up > /etc/hosts.allow and /etc/hosts.deny appropriately, maybe set up IP > firewalling, and restrict access to all other services (e.g. for > Samba, with "bind interfaces only = true"). Too many of these > services (IMHO) run as root. The home LAN is still a little ways off, but I thought most system services needed to be run as root. I have pretty restrictive /etc/hosts.* and ipfwadm setup as well as firewalling compiled into the kernel. Services are attacted through the ports directly, I think, so I've tried to make that safe. > The other way for someone to access your computer is by the programs > you run to access Internet services. For example, if you select a > link to a Postscript file and look at it using a viewer that allows > file operations, it could try to append the line below to your > /etc/passwd: > > carrot::0:0:/:/bin/sh > > This is a simple example of why you shouldn't browse the web (or run > unknown programs) as root. (Another reason is that if something goes > wrong, "rm -rf /" does less damage as a user.) This is why I was asking about dselect | ftp, because if I'm root, and I'm running ftp via dselect, then isn't this exactly what you're telling me not to do? -- David Stern ------------------------------------------------------------------ http://weber.u.washington.edu/~kotsya [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .