[nycbug-talk] fave BSD tips/tricks?
carton at Ivy.NET
Tue Aug 25 13:00:20 EDT 2009
>>>>> "jba" == Jerry B Altzman <jbaltz at 3phasecomputing.com> writes:
jba> Clearly, your idea of what 'basic unix' things are and mine
mine's based on what used to be included on Unix systems. ex., xcalc
is part of the base X11 distribution and used to always be there,
while on overmodularized Gentoo I don't get it unless I ask for it. I
get systems that have tar but are missing pax and cpio, systems that
don't have tcsh because, durrrrr, guess the sysadmin doesn't use tcsh!
I don't either, but leaving it out used to break most passwd files.
Likewise, emacs is an extremely basic tool expected on any serious
Unix system because well over half of wizards use it. It's like some
kind of revolution of the dropouts that emacs isn't expected any
more---clicky certified sysadmins don't use emacs so ``times have
changed''? We don't have to install it because nano-using idiots are
the ones doing the menial work of installing the systems that the
wizards have to use, at least what few wizards are left. ``works for
me so fuck off'' is a Windows attitude.
jba> Now, that's an interesting metaphor -- an emptier room is
jba> filled with more clutter.
yes, I thought it was interesting, too: trip over things which aren't
jba> Surely, you can realize that there are good and compelling
jba> reasons to NOT leave around a full set of tools; the smaller
jba> your surface area, the smaller your system is as a target.
surface area...again you're privileging the analogy over what it's
meant to illustrate, lost haggling about words instead of ideas.
Internet-exposed software listening on sockets makes your system a
bigger target, as does more kernel code, more network protocols
(IPv6), and more setuid binaries.
xcalc, not so much. It's just plain wrong. Deleting stuff like this
does jackall for your securitah. Installing things on the disk that
the attacker could just upload anyway doesn't make any difference! It
may set off your security buzzer a little more often, because
vulnerabilities like ``reading a malformed message with mutt could
execute arbitrary code in the user context'' won't go BRRK-BRRK if you
don't install mutt, but removing mutt doesn't give you any more
security than not using mutt. Do I really need to explain the unix
security model? It seems blatently obvious to me, yet I see MOST
people operating under these silly wrong assumptions.
jba> We had a hard and fast rule about not even having
jba> compilers available on production servers: why give possible
jba> miscreants more tools to play with?
Or learn how to actually break into a machine, compete in a CTF game
yeah, doing nonsense like this may actually help you in CTF, but only
because it's a time-based spy-vs-spy game. Annoying yourself to annoy
the attacker without actually doing anything concrete to stop him is
dumb. unless you really think that you are the only one who can
figure out how to compile programs somewhere else and/or install a
compiler when one isn't there, and the attacker can't manage it, which
seems preposterous since the attacker will have more skill than a
sysadmin of this kind.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 304 bytes
Desc: not available
More information about the talk