View Single Post
  #36   Report Post  
Posted to rec.crafts.metalworking
Donnie Barnes
Posts: n/a
Default Linux is Driving me $#@!!!! nutz!!!

On Tue, 03 Jan, DoN. Nichols wrote:
Various flavors of linux have various out-of-the-box security.
Some are quite secure, some are rather open.

You're changing the argument, AFAIC. Linux is itself inherently secure
because it *can* be secured quite well. Distributions, OTOH, are a
mechanism by which it can be rendered insecure (or not, depending).
Chosing your distribution of Linux can be just as important as the choice
was to use Linux in the first place.

My own favorite for security and stability is OpenBSD. Among
other things, it runs DNS servers, sendmail, and web servers in "chroot
jails", so if there is another security hole found in these, it severely
limits the damage which can be done.

Granted, the chroot jail for the web server requires a lot of
work-arounds for some common CGI programs.

And against some attacks can be utterly useless, which means to me that you
really just have a false sense of security with them combined with the
aggravation of having to make them work in every case, which is quite

And -- unlike Windows, anything which is likely to present even a
theoretical vulnerability is turned *off* by default, and you have to
figure out how to turn it on. In the process, you are expected to weigh
the need for that service against the security implications of turning
it on.

That is a great feature to have in a *distribution* of which you require
the utmost in security, sure.

As for the mention elsewhere in this thread about security
problems with ftp, telnet, and some other services -- those are turned
off by default (they were not designed for real security, back when the
net was a much kinder and gentler place), and ssh is the preferred

Those are turned off by default in most every Linux distribution as well.

I've actually kicked sendmail off of the system, and replaced it
with qmail, which I trust a lot more than I do sendmail. Qmail was
*designed* with security in mind.

Argh. Keep in mind that qmail isn't truly open source by most technically
accepted definitions. If you are simply an end user you can certainly use
it freely, so I'm being pedantic. The author and I share the same initials
and have shared several, err, heated debates about his software. The
confusion about our initials has caused me some grief, too, as he can be
much more of a jerk than I am generally known for (I have my moments as
well, but he seems to have many more) and people sometimes confuse me (on
the internet) for him. So I probably have a bias. Note that there is a
reason qmail isn't shipped with most Linux distributions, and it isn't
technical merits.

I used qmail back in the day when there were no other high performance
options to run high volume mailing lists on x86 hardware well and it served
that purpose. It was also terribly difficult to administer if a problem
*did* arise and I was very thankful when other options surfaced. But if it
works for you, great.


Donnie Barnes 879. V.