On Saturday, 10/21/2006 at 06:45 AST, Michael MacIsaac/Poughkeepsie/[EMAIL PROTECTED] wrote: > > But, with various security holes in Apache, particularly around CGI > Don't any holes get patched on a regular basis? If I am up to date on all > of my patches, I would not expect there to be a known hole in Apache CGIs. > We do tout the open source model as having superior security, largely > because of peer review, no?
Oh, dear. A religious argument. "Security" is an attribute of the system that is independent of the closed/open status of the source code. And "security" is only meaningful in the presence of "integrity" (the inability to get around the security functions). Integrity is also independent of the status of the source code. One does not fear known holes - they get patched (that's how you learn of them). Instead, one fears the *unknown* holes - those that *you* don't know about, but someone else does. > > a rule of security: be paranoid. > I feel that prudence must balance paranoia. You balance paranoia by evaluating what the cost is if the web server is compromised. If you give the web server the ability to issue any CP command, then a hacked web server gives that access to the hacker. About the only command a web server needs is the SMSG command so that it can request another, trusted, server handle the CP requests; limiting them to only the needed functions. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
