On Tue, Mar 4, 2008 at 8:12 AM, J E <[EMAIL PROTECTED]> wrote: > The question is what do you gain by removing it? Are you also > removing perl, gcc, sendmail and the like? Those are bigger worries if > someone gets in.
You gain not having vulnerable software installed on your system. There is no downside to that if you don't need the software. > For me, it all comes down to what can I do to make the system (and the > network) secure so that people don't get in - because once they do, it > really doesn't matter what's installed. Many attackers/script kiddies/ > bad guys bring their own toolset - and those that don't aren't looking > to go on a mad printing spree. But it can matter what is installed if what is installed allows privilege escalation and the entry to the system was as an unprivileged user. Cups has had vulnerabilities where printing naughty documents could execute arbitrary code for example. I'm not saying this would have been exploitable under these conditions, but there is on less thing to worry about here if cups isn't installed at all. It is a very sensible practice to not install services you don't need. FWIW I don't mind not installing cups/redhat-lsb on my systems that don't use cups. It is a waste of space, introduces possible vulnerabilities, adds to maintenance effort, and serves no purpose. John _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
