On Wed, 2004-12-15 at 21:23 -0500, Craig Partin wrote: > Is SSH the only software people trust to listen for network > connections? What's wrong with apache and SSL? And does myth > (backend or frontend) listen for anything? Are there dangers in just > having one machine running myth also running network services?
Apache is mature enough where most people feel comfortable running it. But even then, there are additional changes that could be made to mitigate risk, such as chrooting it, compiling it with support for only what you need, and making some changes to the default settings. But I am thinking more along the lines of application weaknesses. Please bear in mind that what I'm about to write has no basis in known weaknesses in Myth or MythWeb; they are just somewhat likely scenarios. Compromising a web application like MythWeb *could* lead to full system compromise. Consider that there is a MySQL backend, and unless MythWeb does a very good job of sanitizing input, it might be possible to manipulate the database. If you could manipulate the database, and get some command or string of your choice in there, when MythBackend reads the database (as root), that custom input could further exploit something like a buffer overflow. Game over. Like I said, this isn't based on known vulnerabilities in Myth or MythWeb. The developers may very well have considered these scenarios. This is theoretical, but not uncommon.
_______________________________________________ mythtv-users mailing list [EMAIL PROTECTED] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users