Hi,
I don't quite agree with you. Let me expose my views so each member of
the list can weight pros and cons:
> Not answering this thread, but would like to ask some related points
> for anyone who may be listening in:
>
> 1. RPMs.
>
> For practically everything else, I use RPMs for installation. For
> Squid, I've moved away from this approach. Standard RPMs still provide
> only 3.1.10. Non-standard RPMs, you have no idea where the next one is
> coming from, or whether it suits your needs. If you compile-your-own,
> you get the version you want, anytime you want
In my experience using "unofficial" rpms from the community is way
better than compile-your-own. More people try, test and fix unofficial
rpms than your own build. When you get someone providing those RPMs for
many releases, lie Eliezer, you can trust it almost like the "official"
community packages from your distro.
Besides, in the rare occasions you really need a custom build you can
start from the SRPM and still get dependency management, integrity
verification and other RPM/yum features that you loose then you
compile-your-own.
Better to help improve the RPM packages for the benefit of all the
community than selfishly wasting your time on a build only for yourself.
> 2. SELinux
>
> With Squid, normally you don't let end-users on the same server. In
> you don't have end-users on the same server, from a technical point of
> view, SELinux doesn't add value. If you have end-users on the same
> box, you probably have other issues to deal with first.
SELinux is very usefull even if no other user has shell access to the
machine. Turning off SELinux is like turning off your firewall. JUST DON'T.
Any process that listens for network packets can/wiil sometimes be
vulnerable to a buffer overflow or some other kind of remote exploit.
SELinux prevents those -- not only the known ones, but also those yet
unkown -- from doing more damage.
If a cracker finds some squid vulnerability but SELinux is enabled and
properly configured, he can only mess with the cache files, the things
squid normally has to have write access. But it there's no SELinux, we
can find a privilege escalation bug (though rare, those exists) and
become root. Even without privilege escalation, we can use the squid
proces to open network connections do do damage to other internal
servers, as your firewall will normally protect only the network edge,
and not internal servers from one another.
There are many other possibilities for a succesfull attach to squid (or
any other network server). But SELinux liimts even those running as root.
if you turn off SELinux, this means you simply don't understand how it
improves security. Some time ago you found you should learn how to
configure network firewalls. Just accept you now should learn how to
configure SElinux.
[]s, Fernando Lozano
Received on Fri May 16 2014 - 21:47:21 MDT
This archive was generated by hypermail 2.2.0 : Sun May 18 2014 - 12:00:06 MDT