[gentoo-user] Mailing Lists

[gentoo-user] Mailing Lists

[Kaushal Shriyan]

[-- Attachment #1: Type: text/plain, Size: 119 bytes --]

Hi

is there a mailing lists to discuss about perl or python or bash scripting
language ?

Thanks and Regards

Kaushal

[-- Attachment #2: Type: text/html, Size: 142 bytes --]

Re: [gentoo-user] Mailing Lists

[Etaoin Shrdlu]

On Monday 16 February 2009, 13:05, Kaushal Shriyan wrote:

> Hi
>
> is there a mailing lists to discuss about perl or python or bash
> scripting language ?

Yes. Search in the respective sites for more information. There are also 
dedicated newsgroups.

[gentoo-user] Gentoo as a production server - insecure?

[Johannes Frandsen]

I got in to a discussion about which server to recommend for running  
the php5 symfony framework, and I recommended Gentoo as I had been  
using it my self for a couple of years and have been very satisfied  
with it.
Somebody pointed out that having a productions server with a gcc  
installed was a big no no security wise, so I did a bit of goggling on  
that topic and found a couple of articles supporting that view.

Maybe I'm just ill informed, but I can't really see the big problem  
here. Sure if there is a gcc compiler installed you can recompile  
everything to your hearts content, but you still need to get access to  
the server first. And if you have server access you can install gcc on  
any distribution. Even openbsd (to my knowledge) comes with gcc  
bundled and they claim to be the most secure *nix available.

Im using the gentoo hardened profile for my production servers with a  
lamp stack and have considered them reasonably secure, but am I wrong  
in assuming this?

Joe

Re: [gentoo-user] Gentoo as a production server - insecure?

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

On Mon, 16 Feb 2009 13:48:04 +0100
Johannes Frandsen <jsf@imento.dk> wrote:

> I got in to a discussion about which server to recommend for running  
> the php5 symfony framework, and I recommended Gentoo as I had been  
> using it my self for a couple of years and have been very satisfied  
> with it.
> Somebody pointed out that having a productions server with a gcc  
> installed was a big no no security wise, so I did a bit of goggling on  
> that topic and found a couple of articles supporting that view.

I suppose it makes sense only in much broader context: "remove
everything that isn't necessary, even gcc".

It might certainly give attacker a harder time, but if it's x86/64 linux
machine, I think that hardly matters - static binaries won't be a
problem, so, if you're seriously considering that step to be necessary
- get rid of coreutils (especially that 'rm' utility) and all the
  interpreters (even awk!) first.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Gentoo as a production server - insecure?

[Mick]

I happened to browse through a FreeBSD and a CentOS based virtual
server and was amazed on both occasions as to how slim these machines
were.  I've seen embedded Linux running more processes on hardware
servers than what these machines were running.  In that sense, gcc and
toolchain will be easily perceived as bloat and potential for
vulnerabilities and exploitation.  In my humble opinion, it is all
relevant.  If you understand SELinux you may want to have a look at
it.  One of these days I promised myself to have a good read of it
without falling asleep or developing a migraine!  :p

The beauty of Gentoo is that you can build it as you want it.

2009/2/16 Mike Kazantsev <mike_kazantsev@fraggod.net>:
> On Mon, 16 Feb 2009 13:48:04 +0100
> Johannes Frandsen <jsf@imento.dk> wrote:
>
>> I got in to a discussion about which server to recommend for running
>> the php5 symfony framework, and I recommended Gentoo as I had been
>> using it my self for a couple of years and have been very satisfied
>> with it.
>> Somebody pointed out that having a productions server with a gcc
>> installed was a big no no security wise, so I did a bit of goggling on
>> that topic and found a couple of articles supporting that view.
>
> I suppose it makes sense only in much broader context: "remove
> everything that isn't necessary, even gcc".
>
> It might certainly give attacker a harder time, but if it's x86/64 linux
> machine, I think that hardly matters - static binaries won't be a
> problem, so, if you're seriously considering that step to be necessary
> - get rid of coreutils (especially that 'rm' utility) and all the
>  interpreters (even awk!) first.
>
> --
> Mike Kazantsev // fraggod.net
>



-- 
Regards,
Mick

[gentoo-user] Re: Gentoo as a production server - insecure?

[James]

Johannes Frandsen <jsf <at> imento.dk> writes:


> Somebody pointed out that having a productions server with a gcc  
> installed was a big no no security wise, so I did a bit of goggling on  
> that topic and found a couple of articles supporting that view.


From 10,000 feet above, for those less versed in running a daily
"tight" network, it totally misses the point.

If you want to run a really secure network. Model and profile the 
activity,
set soft (say 5%) and hard alarms (10%) for certain types of traffic
flows that could contain interloper activity.   Then add tools that
analyze the traffic, where you perceive vulnerability. If your
organization does not have a "pathelogical hacker" on the payroll, then
consider retaining a consultant periodically to perform penetration
tests. Stay away from corporations, as most of their talent pool, is
on the weak side of modern genectic apptitude. Lock up your "special 
consultant" with a aggressive legal contract. Some really paranoid 
groups get different "special consultants" to perform penetration 
tests over time.

Layer your security
through several firewalls. Partition the network via managed
switches. If you suspect an internal interloper, then put him
on an isolated segment with a stealth sniffer monitoring his activities.
(my idea of a stealth sniffer is set the eth-int to 0.0.0.0)
on that segment. 

But why stop there. Most cell phone protocols/encyption have 
been cracked.
Spend some money and start sniffing the local cell phone 
calls.  (monitoring 
for quality assurance) Note, may be illegal in your area,
unless you pay the local goverments money and show them how to
do the same....
Amature lie detection electronics are a lot of fun too! (at least 
for the
prick that gets to ask the questions). Then there are urine
tests. Anyone that has a good time with recreational drugs is
automatically an interloper, (guilty by association right?)

Build a network that requires tons of manual intervention, unlike 
what anyone else does....Lots of other "out of the box" 
security ideas abound ==> caveat emptor!


If the rub is  really the gcc compiler, then do not have it installed;
activate a remote partition with any such tools as gcc, coreutils
and use them for admin things. Then unmount these (NFS or such)
necessary system tools, when your not actively using them.
Or put then on a usb stick with (ivman or your favorite mechanism).

Prolly (I like this term so much, I "borrowed" it from another
gentooer...)  what you will discover is other admins do not like
your "Gentoo" tendencies, because it's not their idea....
(just a hunch).... My experience is when you constantly flesh_out
a system and constantly update stuff, it stays more secure. Systems
that get little attention are where the interlopers like to hide; imho.
Gentoo does fall short on anomaly detection as do most operating
systems, but, it's easy to remedy with modeling, profiling and 
analysis of the traffic flows....


I find the best security is obscurity, and secrecy of the admin's
tools and traits for administration. Don't follow the herd/vendor
rhetoric. Using the common approaches to security, makes your
life much easier. Add your own unique "spices" to the mixture
of security tools you use. The "change_up" is the best and easiest
pitch in baseball. Some admins never use the "change_up"?


SElinux is superb but a pain in the wazoooo. Lots of folks do not
trust the NSA, mostly from a historical perspective. All governments
have a vested interest in their citizens and businesses having
really secure computers and networks. It makes their jobs (the spoofs)
much easier.

SElinux
is focused on software security policy enforcement (orange book).
SElinux in and of itself, is not a complete solution for a tight
network. It is a component that needs to be augmented with network
and statistical tools and lots of tricks. Without admin tools, it is 
tedious and  laborious,  imho.  I found a really cool java based tool to
implement and manage it, but there was not much enthusiasm , amongst 
the java nor selinux folks here at gentoo to implement the tool:

http://bugs.gentoo.org/show_bug.cgi?id=209435

This is just the tip of the ice-burg, you can (and many do) go crazy
with security. My best advice is make security "fun" for the
nerds that perform the security admin work on a daily basis.
You get a lot of satisfaction, watching the CFO play video games
or the board members connect to a foreign bank account,
on a network you secure....(grin). Not to mention folks with 
elite skills, never seem to go unemployed, nor suffer from
a lack of resources...... Our planet is corrupt, then questions
is who do we throw the first stone at, and for what 'bonafide'
reasons.


ymmv,
James

Re: [gentoo-user] Re: Gentoo as a production server - insecure?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 799 bytes --]

On Mon, 16 Feb 2009 15:51:11 +0000 (UTC), James wrote:

> If the rub is  really the gcc compiler, then do not have it installed;
> activate a remote partition with any such tools as gcc, coreutils
> and use them for admin things. Then unmount these (NFS or such)
> necessary system tools, when your not actively using them.

Or don't install them at all. Put all the toolchain packages
in /etc/portage/profile/package.provided or create a custom profile
without a toolchain in @system. Then build the packages on another
computer. If this is a production server, you'd want to test things
before installing on the live server, so build everything on the test
box and install on the server with emerge -K. 


-- 
Neil Bothwick

ALZHEIMER.COM found . . . Out of . . . something . .

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Gentoo as a production server - insecure?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1039 bytes --]

On Monday 16 February 2009, Neil Bothwick wrote:
> On Mon, 16 Feb 2009 15:51:11 +0000 (UTC), James wrote:
> > If the rub is  really the gcc compiler, then do not have it installed;
> > activate a remote partition with any such tools as gcc, coreutils
> > and use them for admin things. Then unmount these (NFS or such)
> > necessary system tools, when your not actively using them.
>
> Or don't install them at all. Put all the toolchain packages
> in /etc/portage/profile/package.provided or create a custom profile
> without a toolchain in @system. Then build the packages on another
> computer. If this is a production server, you'd want to test things
> before installing on the live server, so build everything on the test
> box and install on the server with emerge -K.

Is there an article on the wiki for doing this?  I have often thought about 
it, but never went as far as trying to do it.  I was even looking at GNAP to 
see if that would be an alternative to building (remotely) a server.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Gentoo as a production server - insecure?

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 96 bytes --]

Hi,

would you please be so kind and avoid hijacking other threads next time.

Thanks...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

[gentoo-user] Re: Gentoo as a production server - insecure?

[james]

Dirk Heinrichs <dirk.heinrichs <at> online.de> writes:


> would you please be so kind and avoid hijacking other threads next time.

Um, you must not have read the response.

I did specifically address and provide remedy if indeed having gcc
installed on a machine is a security threat. 

Sure I expounded on the whole concept of security, because one
of the most important aspect of any or all security is a measure
of reasonableness and sufficiency. There are many instances, imho,
that overkill for security is applied and often does not work,
such as removing gcc from a system. A good hacker (security interloper)
can patch a system without ever compiling anything on that system....


Your opinion that I hijacked a thread is, well, your opinion, at best.


Ignore what you do not like, or give a more singularly focused response,
if you deem that necessary, but avoid pissing into a fan and telling 
the rest of us how cool and relevant you are.

After all, you did not even respond with any relevance to what the poster
was look for, did you ? (your just another pompous a.....)....


hth,
James

Re: [gentoo-user] Re: Gentoo as a production server - insecure?

[Matt Harrison]

james wrote:
> Dirk Heinrichs <dirk.heinrichs <at> online.de> writes:
>
>
>   
>> would you please be so kind and avoid hijacking other threads next time.
>>     
>
> Um, you must not have read the response.
>
> I did specifically address and provide remedy if indeed having gcc
> installed on a machine is a security threat. 
>
> Sure I expounded on the whole concept of security, because one
> of the most important aspect of any or all security is a measure
> of reasonableness and sufficiency. There are many instances, imho,
> that overkill for security is applied and often does not work,
> such as removing gcc from a system. A good hacker (security interloper)
> can patch a system without ever compiling anything on that system....
>
>
> Your opinion that I hijacked a thread is, well, your opinion, at best.
>
>
> Ignore what you do not like, or give a more singularly focused response,
> if you deem that necessary, but avoid pissing into a fan and telling 
> the rest of us how cool and relevant you are.
>
> After all, you did not even respond with any relevance to what the poster
> was look for, did you ? (your just another pompous a.....)....
>
>
> hth,
> James
>
>
>
>
>   
Actually Dirk wasn't talking to you at all, he was talking to the person 
that did indeed hijack the thread (titled "Mailing Lists") by replying 
to it with an unrelated email (titled "Gentoo as a production server - 
insecure?"). This was a valid point, as it was thread hijacking and it 
does make threads very difficult to manage.

It does not however make it so difficult to manage that you cannot see 
Dirk replied to the original hijacking email, and not to you.

Now lets all kiss and make up :)

Matt

Re: [gentoo-user] Re: Gentoo as a production server - insecure?

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Am Montag, 16. Februar 2009 21:15:50 schrieb james:

> Um, you must not have read the response.

I didn't reply to you, but to Johannes. Maybe your email client doesn't 
display the threads correctly. You can verify this by reading the headers, 
especially "In-reply-to:".

> I did specifically address and provide remedy if indeed having gcc
> installed on a machine is a security threat.

The original thread was about "Mailing Lists" to discuss about python or perl 
and was started by Kaushal Shriyan. It was hijacked by replying to it and 
changing the topic, again see the "In-reply-to:" header.

Bye...

	Dirk


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

[gentoo-user] Re: Gentoo as a production server - insecure?

[James]

Dirk Heinrichs <dirk.heinrichs <at> online.de> writes:


> I didn't reply to you, but to Johannes. Maybe your email client doesn't 
> display the threads correctly. You can verify this by reading the headers, 
> especially "In-reply-to:".

> The original thread was about "Mailing Lists" to discuss about python or perl 
> and was started by Kaushal Shriyan. It was hijacked by replying to it and 
> changing the topic, again see the "In-reply-to:" header.


OOPs,

I did not even notice (sorry).

Gmane does show the threads correctly (although sometimes
it borks).


My bad; I just saw your response under mine in gmane......
I missed the original thread poster completely. Sometimes
gmane does not process all postings, timely. It'd 
help if you  mentioned the persons name, explicitly,
when you or anyone chastize  a poster. But, IIIII
missed it in the thread listing, so <...> on me.



James

Re: [gentoo-user] Mailing Lists

[Dan Cowsill]

On Mon, Feb 16, 2009 at 7:05 AM, Kaushal Shriyan
<kaushalshriyan@gmail.com> wrote:
> Hi
>
> is there a mailing lists to discuss about perl or python or bash scripting
> language ?
>
> Thanks and Regards
>
> Kaushal
>

http://lmgtfy.com/?q=perl+mailing+list
http://lmgtfy.com/?q=python+mailing+list

As far as I can tell, there is no Bash mailing list apart from
bug-bash.  You'll probably get flamed if you post questions there.

Re: [gentoo-user] Mailing Lists

[Hilco Wijbenga]

2009/2/16 Dan Cowsill <danthehat@gmail.com>:
> On Mon, Feb 16, 2009 at 7:05 AM, Kaushal Shriyan
> <kaushalshriyan@gmail.com> wrote:
>> Hi
>>
>> is there a mailing lists to discuss about perl or python or bash scripting
>> language ?
>>
>> Thanks and Regards
>>
>> Kaushal
>>
>
> http://lmgtfy.com/?q=perl+mailing+list
> http://lmgtfy.com/?q=python+mailing+list
>
> As far as I can tell, there is no Bash mailing list apart from
> bug-bash.  You'll probably get flamed if you post questions there.

Despite the name, this list is for general Bash questions too.

Re: [gentoo-user] Mailing Lists

[Dan Cowsill]

On Mon, Feb 16, 2009 at 11:35 AM, Hilco Wijbenga
<hilco.wijbenga@gmail.com> wrote:
> 2009/2/16 Dan Cowsill <danthehat@gmail.com>:
>> On Mon, Feb 16, 2009 at 7:05 AM, Kaushal Shriyan
>> <kaushalshriyan@gmail.com> wrote:
>>> Hi
>>>
>>> is there a mailing lists to discuss about perl or python or bash scripting
>>> language ?
>>>
>>> Thanks and Regards
>>>
>>> Kaushal
>>>
>>
>> http://lmgtfy.com/?q=perl+mailing+list
>> http://lmgtfy.com/?q=python+mailing+list
>>
>> As far as I can tell, there is no Bash mailing list apart from
>> bug-bash.  You'll probably get flamed if you post questions there.
>
> Despite the name, this list is for general Bash questions too.
>
>

Ah, thank you for clarifying.

D