FreeBSD and User Security
David Naylor
naylor.b.david at gmail.com
Thu Jun 12 13:19:37 UTC 2008
On Wednesday 11 June 2008 23:47:43 you wrote:
> On Wed, Jun 11, 2008 at 10:25:32PM +0200, David Naylor wrote:
> > Hi All,
> >
> > Today I read an article describing how my government had lost ZAR200 000
> > 000 from fraud. This is just under $25 000 000. The article credited
> > this loss largely due to the use of spyware.
> >
> > My question is how secure is FreeBSD (including KDE, GNOME and XFCE) to
> > attacks, including cracking and spyware.
>
> That is a very broad question without a simple answer. It depends among
> other things on the purpose of the machine and the knowledge of the
> administrator.
>
> E.g, if you are creating a workstation that doesn't run externally
> accessible servers you could configure the firewall to block all
> incoming new connection requests. That will go a long way toward
> safeguarding the machine against network attacks.
>
> There is no way to safeguard a machine that an attacker has physical
> access to; he could e.g. steal the harddisk and read your data at his
> leisure (unless it is encrypted on-disk, e.g. with geli(8)). Also, no OS
> can defend against social engineering attacks.
>
> I would not worry overly much about spyware. Most if not all of those
> are windows binaries. Also, unix mail clients as a rule do not execute
> scripts embedded in mail messages.
I think this argument is rather mute, just because there are no programs
exploiting security vulnerabilities does not been there are not
vulnerabilities, and a determined cracker would create his own program. That
said I hope there are, actually, no vulnerabilities.
[Security through obscurity is just an illusion]
> > In addition, is there anyway to
> > prevent a user from executing a program that is not owned by root (i.e.
> > any program installed by the user), this would prevent spyware being
> > installed (assuming root has been properly locked down) and subsequently
> > run.
>
> You could mount /home and other partitions where users have write access
> like /tmp with the noexec option. Note that that wouldn't block the
> execution of scripts, just binaries.
Excellent idea, that would work just fine :-). I think /var/tmp should be
added to the list.
If a script is run using #!/bin/sh would that then be executable with noexec
(i.e. running "./example.sh" instead of "sh ./example.sh)
Thank you to everyone who has replied, it was been informative.
Regards
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080612/b1411b0d/attachment.pgp
More information about the freebsd-questions
mailing list